US20170104674A1 - Data center networks - Google Patents
Data center networks Download PDFInfo
- Publication number
- US20170104674A1 US20170104674A1 US15/383,090 US201615383090A US2017104674A1 US 20170104674 A1 US20170104674 A1 US 20170104674A1 US 201615383090 A US201615383090 A US 201615383090A US 2017104674 A1 US2017104674 A1 US 2017104674A1
- Authority
- US
- United States
- Prior art keywords
- virtual
- packet forwarding
- address
- server
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/58—Association of routers
- H04L45/586—Association of routers of virtual routers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45545—Guest-host, i.e. hypervisor is an application program itself, e.g. VirtualBox
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/56—Routing software
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/70—Virtual switches
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
Definitions
- the present application relates to data center networks.
- the present application relates to connectivity and security in data center networks.
- Data center deployments typically provide a computational resource in the form of a number of servers, which can be utilized for various computational tasks, such as data processing, file serving, application hosting and provision telecommunications services.
- Such servers are typically comprised within a data center network which interconnects the various servers in the data center deployment and facilitates communication between them.
- the data center network will take the form of a local area network (or LAN), which is deployed at a data center facility which houses the various servers and other necessary hardware required for the data center deployment.
- LAN local area network
- a data center deployment may include servers at different geographic locations. Such deployments may be referred to as distributed data centers.
- a distributed data center network may provide geographical redundancy to the data center deployment, such that a disruption or failure at a particular data center facility does not result in a loss of service, as the required computation can be provided by servers at other data center facilities in the data center network.
- the computational resource provided by a data center may be utilized in various ways.
- each server in a data center may have a dedicated function or set of functions to perform.
- this can result in poor scalability and inefficient hardware-resource utilization because some functions in the data center network may not utilize all of the hardware resources that have been allocated.
- virtualization techniques have been developed which allow a virtual system (or ‘guest’) to be created and deployed on a real, physical machine (or ‘host’) such as a server.
- guest virtual systems include virtual machines, as well as virtual environments (such as Linux Containers; LXC). The virtual system then behaves as if it were an independent machine or environment with a defined function or set of functions to perform.
- One of the advantages that use of virtualization can provide in data center networks is that multiple guests can be deployed on a single host, with each guest sharing the available hardware resources of the host machine, but operating potentially independently of each other. If the guests running on a particular host are not making efficient use of the computational resource of the host machine (i.e. there is a significant amount of spare capacity available on the host), then an extra guest can be added to the host. Similarly, if the guests running on a particular machine require more combined computational resource than the host machine can provide, then one or more of the guests can be moved to a different host machine in the data center network.
- this demand can be met by setting up additional guests (either by utilizing spare capacity on one of the host machines in the data center network or by adding extra hosts to the data center network).
- the guest virtual systems in a data center deployment may be virtualized as separate communication endpoints in the data center network (which may be configured as a local area network, or LAN, for example).
- each host server may act as a switch to pass data packets to and from the guests that it hosts.
- data center networks operate according to the Internet Protocol (IP) suite.
- IP Internet Protocol
- switching within a particular network e.g. a LAN
- MAC media access control
- OSI open systems interconnection
- all of the guests may belong to the same enterprise (or ‘tenant’). Such deployments are known as single tenant data centers. Alternatively, so called multi-tenant data centers may include guests belonging to several different tenants. In order to provide segregation between the virtual systems of different tenants, e.g. for information security or conflict avoidance reasons, a number of virtual LANs may be configured in the network which provide connectivity between the various virtual systems associated with a given tenant, but not to virtual systems associated with different tenants.
- a method for controlling communication access in a data center network comprising: receiving, at a server in the data center network, a setup notification relating to setup of a virtual system on the server; and in response to receipt of the setup notification, populating one or more entries in an access control data store, the one or more entries comprising an internet protocol (IP) address of the virtual system and at least one associated IP address of one or more communication endpoints, wherein the access control data store is accessed by a packet forwarding function comprised within the server when making forwarding decisions for data packets.
- IP internet protocol
- apparatus for use in a data center network, the apparatus comprising at least one processor, and at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processor, cause the apparatus at least to: receive, at a server in the data center network, a setup notification relating to setup of a virtual system on the server; and in response to receipt of the setup notification, populate one or more entries in an access control data store, the one or more entries comprising an internet protocol (IP) address of the virtual system and at least one associated IP address of a communication endpoint with which communication is allowed, wherein the access control data store is accessed by a packet forwarding function comprised within the server when making forwarding decisions for data packets.
- IP internet protocol
- a third embodiment there is provided computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform the method of the first embodiment of the application.
- Embodiments comprise a computer program product (for example computer software) adapted to perform the method of the first embodiment of the present application.
- a computer program product for example computer software
- FIG. 1 illustrates an apparatus according to one or more disclosed embodiments
- FIG. 2 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments
- FIG. 3 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments
- FIG. 4 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments
- FIG. 5 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments
- FIG. 6 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments
- FIG. 7 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments
- FIG. 8 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments
- FIG. 9 illustrates an example data center network according to one or more disclosed embodiments.
- FIG. 10 illustrates a message flow for a connectivity process according to one or more disclosed embodiments
- FIG. 11 illustrates a message flow for a connectivity process according to one or more disclosed embodiments
- FIG. 12 illustrates a message flow for a connectivity process according to one or more disclosed embodiments
- FIG. 13 illustrates a message flow for a connectivity process according to one or more disclosed embodiments
- FIG. 14 illustrates a message flow for a packet forwarding process according to one or more disclosed embodiments
- FIG. 15 illustrates a message flow for a packet forwarding process according to one or more disclosed embodiments
- FIG. 16 illustrates a message flow for an access control process according to one or more disclosed embodiments.
- FIG. 17 illustrates a message flow for an access control process according to one or more disclosed embodiments.
- a packet forwarding function is provided in a server in a data center network.
- the packet forwarding function is configured to behave as a virtualized router for forwarding data packets between one or more virtual systems hosted on the server and the rest of the data center network
- FIG. 1 illustrates an apparatus 100 according to certain embodiments.
- apparatus 100 may comprise a server.
- apparatus 100 may be a hardware module comprised within a server in the data center network, for example a server blade or other hardware component.
- Server 100 is configured to host one or more virtual systems, including virtual system 102 .
- server 100 further hosts virtual system 104 .
- server 100 may host a single virtual system (e.g. 102 ), or may host more than the two illustrated virtual systems. Through hosting the one or more virtual systems 102 , 104 , server 100 can be considered to comprise the one or more virtual systems 102 , 104 .
- Server 100 may further comprise packet forwarding function 106 , which is configured to forward data packets that may be routed to and/or from the one or more virtual systems 102 , 104 hosted on server 100 .
- Packet forwarding function 106 may be configured to make forwarding decisions for received data packets on the basis of the destination IP address of the received data packet. Packet forwarding function 106 can be considered to behave as a virtualized router within server 100 . By making forwarding decisions for received packets on the basis of the destination IP address, the packet forwarding function can be considered to operate at “Layer 3” of the OSI model.
- Providing a virtualized routing function within server 100 to route data packets to and/or from the virtual systems hosted on server 100 may serve to enable more efficient scaling in data center networks.
- the use of IP addresses to make forwarding decisions enables the data center network to be segregated into a number of separate networks, therefore facilitating an arbitrarily large number of virtual systems to be incorporated into the network.
- Layer 2 switching protocols suffer inefficiencies when the network has a large total number of endpoints or distributed over relatively large geographic areas. This is due to the inability to aggregate Layer 2 forwarding information, and the relatively simplistic design of the Layer 2 control plane protocols.
- the one or more virtual systems 102 , 104 may comprise virtual machines.
- Server 100 may host the one or more virtual machines through use of a virtualization tool such as a hypervisor.
- a hypervisor may run on top of an existing operating system on the server 100 , or it may run directly on the server hardware without an intermediate operating system (in a so called ‘bare metal’ configuration).
- the hypervisor (not shown) may comprise packet forwarding function 106 .
- a software tool such as OpenStackTM may be used to run the virtual machines on server 100 .
- the one or more virtual systems 102 , 104 may comprise virtual environments, such as ‘containers’.
- server 100 is configured with a Linux kernel, and may host the one or more virtual systems through the use of the virtualization tool Linux Containers (LXC).
- LXC virtualization tool Linux Containers
- the one or more virtual systems 102 , 104 may be configured to connect to packet forwarding function 106 via respective virtual connections 108 , 110 .
- the virtual connections 108 , 110 may comprise virtual Ethernet connections.
- packet forwarding function 106 may comprise one or more virtual interfaces 112 , 114 , with each virtual connection 108 , 110 being connected to packet forwarding function 106 via a respective virtual interface 112 , 114 .
- the one or more virtual ports may comprise virtual Ethernet ports.
- the one or more virtual ports may comprise network tunnel connections.
- the one or more virtual ports may comprise network tap connections.
- packet forwarding function 106 is comprised within a Linux kernel running on server 100 , and the one or more virtual systems 102 , 104 running on the server are connected via virtual connections 108 , 110 to virtual interface 112 , 114 in the Linux kernel.
- server 100 includes a physical network interface 116 , through which packet forwarding function 106 can send packets to and receive packets from entities in the data center network outside of server 100 .
- packet forwarding function 106 is responsible for forwarding data packets between the one or more virtual systems 102 , 104 hosted on server 100 and the wider data center network, accessed via physical network interface 116 and physical network connection 118 .
- the physical network interface may comprise one or more network interface cards (NIC).
- NIC network interface cards
- physical network connection 118 may comprise a part of a data center switching fabric for interconnecting one or more servers in the data center network.
- the virtualized router arrangement of the present disclosure provides efficient means for forwarding data packets between the one or more virtual systems 102 , 104 hosted on server 100 and the wider data center network via the physical network interface 116 and physical network connection 118 .
- known arrangements that are commonly used to forward data packets between guest virtual systems and the physical network interface of a host server commonly use “Layer 2” MAC address based switching and are necessarily highly complex in order to provide interoperability between the virtual systems and the physical network interface of the server. This high complexity may avoided through use of the virtualized router arrangement that is provided in embodiments of this application.
- the virtualized router arrangement provided by packet forwarding function 106 segregates the one or more virtual systems 102 , 104 running on server 100 into a separate local network which is distinct from the remainder of the data center network.
- the one or more virtual systems 102 , 104 running on server 100 are comprised within an “internal” network, which is in turn comprised within server 100 .
- the internal network provides interconnection between the one or more virtual systems 102 , 104 hosted on server 100 and packet forwarding function 106 .
- a different, “external” network then provides interconnection between server 100 and one or more other servers in the data center network.
- packet forwarding function 106 can be considered to connect the internal network within server 100 to the external network.
- the internal network comprised within server 100 can be considered to be a virtual network, because it exists within server 100 and may comprise virtual hardware, including virtual systems 102 , 104 .
- packet forwarding function 106 may have an IP address in the internal network that is different to the IP address that it has in the external network.
- the IP address of packet forwarding function 106 in the external network may be the same as an IP address of server 100 in the data center network.
- the IP address of packet forwarding function 106 in the internal network comprised within server 100 is the IP address observed by virtual systems 102 and 104 .
- FIG. 1 also includes elements 118 , 120 , 122 , 124 , 126 , 128 , 130 and 132 , the function of which will be explained later below.
- FIG. 2 illustrates an example message flow for a packet forwarding process according to embodiments.
- Initially data packet 2 a is received at packet forwarding function 106 from the physical network interface 116 of server 100 .
- Received data packet 2 a may have originated from another server in the data center network, or another location external to server 100 , such as the public internet.
- packet forwarding function 106 may be configured to make a forwarding decision for the received data packet on the basis of the destination IP address of the received data packet at step 200 .
- the received data packet has the IP address of virtual system 102 as the destination IP address. Therefore, the result of the forwarding decision made at step 200 is to forward the data packet to virtual system 102 as forwarded data packet 2 b .
- Forwarded data packet 2 b is forwarded to virtual system 102 using virtual connection 108 via virtual interface 112 .
- FIG. 3 illustrates an example message flow for a packet forwarding process according to embodiments.
- data packet 3 a is received at packet forwarding function 106 from a virtual system hosted on server 100 , in this case virtual system 102 .
- Received data packet 3 a is received from virtual system 102 over virtual connection 108 via virtual interface 112 .
- packet forwarding function 106 may be configured to make a forwarding decision for the received data packet on the basis of the destination IP address of the received data packet at step 300 .
- the received data packet has the IP address of an endpoint located outside of server 100 (i.e.
- the result of the forwarding decision made at step 300 is to forward the data packet into the external network, via the physical network interface 116 of server 100 , as forwarded data packet 3 b.
- FIG. 4 illustrates an example message flow for a packet forwarding process according to embodiments.
- Initially data packet 4 a is received at packet forwarding function 106 from a virtual system 104 hosted on server 100 .
- packet forwarding function 106 may be configured to make a forwarding decision for the received data packet on the basis of the destination IP address of the received data packet at step 400 .
- the received data packet has the IP address of another virtual system hosted on server 100 as the destination IP address, in this case virtual system 104 . Therefore, the result of the forwarding decision made at step 400 is to forward the data packet to virtual system 104 as forwarded data packet 4 b .
- Forwarded data packet 4 b is forwarded to virtual system 104 using virtual connection 110 via virtual interface 114 .
- data packets are routed from the one or more virtual systems 102 , 104 hosted on server 100 , to packet forwarding function 106 as a result of the IP address of packet forwarding function 106 in the internal network comprised within server 100 may be advertised as the default route for data packets originating in that internal network.
- This default route setup configures the one or more virtual systems hosted on server 100 to transmit outgoing data packets to the packet forwarding function, which is then equipped to make forwarding decisions for the received data packets.
- received data packets 3 a , 4 a are received on the basis of this default route configuration.
- such a default route setup may be achieved by configuring packet forwarding function 106 to respond to address resolution request messages with the media access control (MAC) address of the packet forwarding function 106 in the internal network comprised within sever 100 .
- MAC media access control
- FIG. 5 illustrates an example message flow for an address resolution process according to embodiments.
- virtual system 102 hosted on server 100 has an outgoing data packet to transmit to a given destination IP address.
- virtual system 102 first transmits address query message 5 a in relation to the destination IP address.
- address query message 5 a may comprise an address resolution protocol (ARP) (in the case of an Internet Protocol version 4 (IPv4) destination address) or Neighbor discovery (ND) message (in the case of an Internet Protocol version 6 (IPv6) destination address).
- Address query message 5 a may be broadcast to devices within the internal network that are connected to virtual system 102 , which in this case includes only packet forwarding function 106 .
- ARP address resolution protocol
- ND Neighbor discovery
- IPv6 Internet Protocol version 6
- Packet forwarding function 106 may be configured to intercept the address query message 5 a by not forwarding the message to any other devices within the internal network. In response to receipt of address query message 5 a , packet forwarding function 106 is configured to respond by transmitting address response message 5 b to virtual system 102 , which includes the MAC address of packet forwarding function 106 in the internal network.
- virtual system 102 may be configured to transmit the data packet using the MAC address comprised within the received address response message 5 b . Therefore, data packet 5 c is transmitted from virtual system 102 to packet forwarding function 106 . Data packet 5 c is thus received at packet forwarding function 106 on the basis of the transmitted address response message 5 b .
- packet forwarding function 106 may be configured to make a forwarding decision for the packet on the basis of the destination IP address of data packet 5 c at step 500 , for example as described previously in relation to any of FIGS. 2 to 4 .
- packet forwarding function 106 may be configured to make forwarding decisions on the basis of one or more packet forwarding data entries maintained in packet forwarding data store 118 . As illustrated in FIG. 1 , in some embodiments, packet forwarding data store 118 is accessible to packet forwarding function 106 for use in making forwarding decisions for received data packets. In some embodiments, packet forwarding data store 118 includes entries that may comprise “next hop” IP addresses for various destination IP addresses. Each next hop IP address may be associated with a border gateway or routing entity via which the device associated with the destination IP address may be reached, or it may be the same as the destination IP address if the device associated with destination IP address is located in the same network.
- packet forwarding data store 118 may comprise a forwarding information base (FIB), or forwarding table.
- FIB forwarding information base
- packet forwarding function 106 can determine the next hop IP address required to reach the destination IP address of a received data packet, and therefore make a forwarding decision as to how to forward the received data packet on that basis.
- FIG. 6 illustrates an example message flow for a packet forwarding process according to embodiments.
- data packet 6 a is received at packet forwarding function 106 from virtual system 102 (for example as a result of the default route configuration described above).
- packet forwarding function 106 may be configured to access packet forwarding data store 118 in relation to the destination IP address of received data packet 6 a , through data store query 6 b and corresponding data store response 6 c .
- packet forwarding function 106 may be configured to make a forwarding decision for the received data packet as step 600 .
- FIG. 6 illustrates an example message flow for a packet forwarding process according to embodiments.
- data store response 6 c may comprise a next hop IP address for use in routing the data packet towards the destination IP address.
- the next hop IP address is located externally to server 100 , therefore packet forwarding function 106 makes a forwarding decision to forward the data packet to the retrieved next hop IP address, via the physical network interface 116 , as forwarded data packet 6 d.
- the packet forwarding data store 118 if the packet forwarding data store 118 does not include an entry that corresponds to the destination IP address of the received data packet, then the outcome of the forwarding decision is for the received data packet to be dropped by packet forwarding function 106 (i.e. not forwarded).
- the packet forwarding data store 118 includes entries which comprise an interface identifier which identifies the appropriate interface 112 , 114 , 116 through which packets should be forwarded in order to reach various next hop IP addresses.
- the port through which a received data packet is forwarded by packet forwarding function 106 is determined on the basis of an interface identifier retrieved from packet forwarding data store 118 , for example in data store response 6 c . In such embodiments, the forwarding decisions made by packet forwarding function 106 are further based on the retrieved interface identifier.
- packet forwarding function 106 is configured to make forwarding decisions on the basis of one or more address translation data entries maintained in address translation data store 120 .
- address translation data store 120 is accessible to packet forwarding function 106 for use in making forwarding decisions for received data packets.
- packet forwarding data store 118 includes entries that may comprise a MAC address which corresponds to given IP addresses to which packets may be forwarded.
- address translation data store 120 may comprise an ARP cache or ND cache. By querying the address translation data store 120 , packet forwarding function 106 can determine the MAC address required to reach the IP address to which a received data packet is to be forwarded, and therefore make a forwarding decision as to how to forward the received data packet on that basis.
- FIG. 7 illustrates an example message flow for a packet forwarding process according to embodiments.
- data packet 7 a is received at packet forwarding function 106 via the physical network interface 116 , with a destination IP address that is the IP address of virtual system 102 .
- packet forwarding function 106 may be configured to access address translation data store 120 in relation to the IP address of virtual system 102 , through data store query 7 b and corresponding data store response 7 c .
- packet forwarding function 106 may be configured to make a forwarding decision for the received data packet at step 700 .
- FIG. 7 illustrates an example message flow for a packet forwarding process according to embodiments.
- data store response 7 c may comprise the MAC address of virtual system 102 for use in forwarding the received data packet to the destination IP address. Therefore, packet forwarding function 106 makes a forwarding decision to forward the data packet using the retrieved MAC address for virtual server 102 , via virtual network interface 112 , as forwarded data packet 7 d.
- FIG. 8 illustrates an example message flow for a packet forwarding process according to embodiments.
- data packet 8 a is received at packet forwarding function 106 from virtual system 102 .
- packet forwarding function 106 may be configured to access packet forwarding data store 118 in relation to the destination IP address of received data packet 8 a , through data store query 8 b and corresponding data store response 8 c .
- data store response 8 c may comprise a next hop IP address for use in routing the data packet towards the destination IP address.
- the next hop IP address is located externally to server 100 , and is reachable via the physical network interface 116 .
- packet forwarding function 106 may be configured to access address translation data store 120 in relation to the next hop IP address, through data store query 8 d and corresponding data store response 8 e .
- data store response 8 e may comprise the MAC address of the device associated with the retrieved next hop IP address for the data packet.
- packet forwarding function 106 is configured to make a forwarding decision for the received data packet at step 800 , which results in the data packet being forwarded to the next hop IP address, using the retrieved MAC address, via physical network interface 116 , as forwarded data packet 8 f.
- FIG. 9 illustrates an example data center network 900 according to embodiments.
- data center network 900 may comprise a plurality of servers (or server components) including at least server 100 a and server 100 b .
- servers or server components
- FIG. 9 many of the components of servers 100 a and 100 b have been omitted for clarity, however their structure and operation is similar to that described above in relation to FIG. 1 .
- only two servers 100 a , 100 b are shown, however, in further embodiments, more than two servers may be provided.
- each of the depicted servers 100 a , 100 b is shown as comprising two virtual system 102 a and 104 a , and 102 b and 104 b respectively.
- one or more of the servers 100 a , 100 b may comprise only one virtual system, or more than two virtual systems.
- Packet forwarding function 106 a connects the virtual systems 102 a , 104 a , on the internal network within server 100 a to the external network, via the physical network interface of server 100 a .
- the external network may comprise the data center switching fabric 902 , which interconnects the various physical machines in the data center network, including servers 100 a and 100 b .
- packet forwarding function 106 b connects the virtual systems 102 b , 104 b , on the internal network within server 100 b to the external network (i.e. data center switching fabric 902 ), via the physical network interface of server 100 b.
- data center network 900 also may comprise border gateway entity 904 , which provides connectivity between data center network 900 and one or more further networks 906 .
- border gateway entity 904 may comprise a border router which is responsible for routing data traffic within the data center switching fabric 902 .
- the one or more further networks 906 may comprise the public internet.
- the one or more further networks 906 may comprise one or more other data center networks which form a distributed data center deployment. In some such embodiments, the one or more other data center networks are accessible via an inter-data center backbone.
- the IP addresses of the virtual systems 102 a , 104 a , 102 b , 104 b in data center network 900 are routable, i.e. unique, within data center network 900 .
- the IP addresses of one or more of the virtual systems 102 a , 104 a , 102 b , 104 b in data center network 900 are publicly routable, which is to say that they are unique within the public internet (accessible via border gateway entity 904 ) as well as within data center network 900 .
- the packet forwarding functions 106 a , 106 b may be configured with different IP addresses with respect to the external network (i.e. data center switching fabric 902 ) versus their respective internal networks (i.e. the network comprised within the respective server 100 a , 100 b which includes the virtual systems hosted on that server).
- the packet forwarding functions 106 a , 106 b may be configured with IP addresses in the external network that are unique within the data center switching fabric 902 .
- the various packet forwarding functions 106 a , 106 b in the data center network may be configured with the same IP addresses in their respective internal networks.
- the various virtual systems in the data center network communicate via a packet forwarding function 106 a , 106 b , which appears to have the same IP address.
- a packet forwarding function 106 a , 106 b which appears to have the same IP address.
- virtual systems 102 a , 104 a , 102 b , 104 b to be more easily moved between the various host servers 100 a , 100 b in the data center network.
- the internal networks comprised within various host servers 100 a , 100 b in the data center network appear effectively the same to hosted virtual systems (i.e. the packet forwarding functions have the same IP addresses, which are also the default route in the respective internal networks) virtual systems can be moved between the various host servers without requiring extensive reconfiguration.
- the IP addresses of packet forwarding functions 106 a , 106 b in the external network are advertised in the external network as the default next hop IP address for reaching the one or more virtual systems 102 a , 104 a , 102 b , 104 b hosted on the respective server 100 .
- the IP addresses of packet forwarding functions 106 a , 106 b in the external network are advertised in the external network as the default next hop IP address for data packets being routed to the associated virtual systems.
- the packet forwarding functions 106 a , 106 also have the same MAC addresses in their respective internal networks, thereby further reducing the reconfiguration required when moving virtual systems between the various host servers 100 a , 100 b in the data center network.
- the packet forwarding functions have unique MAC addresses in the external network (i.e. data center switching fabric 902 ) in order to ensure that they are uniquely routable within the external network. Therefore, in such embodiments, the MAC address of a given packet forwarding function in the external network is different to its MAC address in its respective internal network.
- measures are provided to establish connectivity between packet forwarding function 106 and the virtual systems 102 , 104 hosted on server 100 , by establishing the necessary virtual connection 108 , 110 and populating entries in packet forwarding data store 118 .
- these measures are provided in the form of connectivity component 122 comprised within server 100 .
- connectivity component 122 may be provided in the form of a plugin for the software tool.
- connectivity component 122 may comprise a background process, such as a Linux daemon, running on server 100 .
- the functions of connectivity component 122 are comprised within packet forwarding function 106 .
- Server 100 may comprise an orchestrator component 124 , such as the orchestrator provided within OpenStack or the ‘Flynn’ orchestrator used in Linux Containers, for managing the setup of virtual systems 102 , 104 on server 100 .
- the orchestrator component 124 is configured to notify connectivity component 122 when a virtual system 102 , 104 , is setup on server 100 .
- the connectivity component 122 may subscribe to notifications from orchestrator component 124 .
- connectivity component 122 may monitor server 100 to determine when setup of a virtual system occurs.
- FIG. 10 illustrates a message flow for a connectivity process according to embodiments.
- setup notification 10 a which relates to setup of a virtual system on server 100 , is received by connectivity component 122 .
- setup notification 10 a relates to setup of virtual system 102 .
- setup notification 10 a is sent by the orchestrator component 124 .
- setup notification 10 a may result from monitoring performed by connectivity component 122 .
- connectivity component 122 is configured to create virtual connection 108 between virtual system 102 and packet forwarding function 106 at step 1000 .
- connectivity component 122 is configured to populate an entry in packet forwarding data store 118 comprised within server 100 by sending data entry update message 10 b .
- the entry in packet forwarding data store 118 may comprise the IP address of virtual system 102 , and an identifier for the virtual connection 108 which connects virtual system 102 to packet forwarding function 106 .
- the identifier for virtual connection 108 may comprise an identifier for virtual interface 112 .
- the setup of the virtual connection at step 1000 may comprise setting up a virtual interface 112 in packet forwarding function 106 via which the virtual connection 108 between the packet forwarding function and virtual system 102 is established.
- virtual connection 108 may comprise virtual interface 112 .
- virtual interface 112 may comprise a virtual Ethernet port (veth).
- virtual interface 112 may comprise a network tunnel (tun).
- virtual interface 112 may comprise a network tunnel (tap).
- setup notification 10 a may comprise the IP address of virtual system 102 , which is then used to populate the entry in packet forwarding data store 118 .
- setup notification 10 a may comprise an identifier for virtual system 102 , which can be resolved into an IP address for virtual system 102 by connectivity component 122 .
- connectivity component 122 may allocate an IP address to virtual system 102 .
- the identifier for the virtual system may influence the choice of IP address allocated by connectivity component 122 . For example, the identifier may indicate that the virtual system belongs to a particular tenant, or performs a particular function, and therefore should be allocated an available IP address from a particular range.
- connectivity component 122 may be further configured to populate entries in address translation data store 120 in response to setup of a virtual system 102 , 104 on server 100 .
- FIG. 11 illustrates a message flow for a connectivity process according to embodiments.
- setup notification 11 a which relates to setup of virtual system 102 on server 100
- connectivity component 122 receives setup notification 11 a .
- setup notification 11 a is sent by the orchestrator component 124 .
- connectivity component 122 may be configured to create virtual connection 108 between virtual system 102 and packet forwarding function 106 at step 1100 .
- connectivity component 122 may also be configured to populate an entry in packet forwarding data store 118 that may be comprised within server 100 by sending data entry update message 11 b to the packet forwarding data store, as described above in relation to FIG. 10 .
- connectivity component 122 may be configured to populate an entry in address translation data store 120 comprised within server 100 by sending data entry update message 11 c to address translation data store 120 .
- the entry in address translation data store 120 may comprise the IP address of virtual system 102 and the MAC address of virtual system 102 .
- setup notification 11 a may comprise the MAC address of virtual system 102 , which is then used to populate the entry in address translation data store 120 .
- setup notification 11 a may comprise an identifier for virtual system 102 , which can be resolved into a MAC address for virtual system 102 by connectivity component 122 .
- the step of creating the virtual connection 1000 , 1100 may further comprise binding the generated connection to a network interface of the virtual system 102 , 104 . In some embodiments, the step of creating the virtual connection 1000 , 1100 may comprise configuring one or more guest network scripts on the virtual system 102 , 104 .
- connectivity component 122 is further responsive to closure of virtual systems 102 , 104 on server 100 , in order to remove the previously created connections 108 , 110 and delete the previously populated entries in the packet forwarding data store 118 and/or the address translation data store 120 .
- connectivity component 122 is notified through receipt of a closure notification when closure of a virtual system 102 , 104 on server 100 occurs. Again, such closure notifications may be received from an orchestrator component 124 , or may result from monitoring performed by connectivity component 122 .
- FIG. 12 illustrates a message flow for a connectivity process according to embodiments.
- closure notification 12 a which relates to closure of a virtual system on server 100
- connectivity component 122 receives closure notification 12 a .
- closure notification 12 a relates to closure of virtual system 102 .
- closure notification 12 a is sent by the orchestrator component 124 .
- closure notification 12 a may result from monitoring performed by connectivity component 122 .
- connectivity component 122 is configured to remove virtual connection 108 at step 1200 .
- connectivity component 122 is configured to delete the entry in packet forwarding data store 118 which may comprise the IP address of virtual system 102 and an identifier for virtual connection 108 , by sending data entry update message 12 b.
- connectivity component 122 may be further configured to delete entries in address translation data store 120 in response to closure of a virtual system 102 , 104 on server 100 .
- FIG. 13 illustrates a message flow for a connectivity process according to embodiments.
- closure notification 13 a which relates to closure of virtual system 102 on server 100
- closure notification 13 a is sent by the orchestrator component 124 .
- connectivity component 122 may be configured to remove virtual connection 108 at step 1300 .
- connectivity component 122 may also be configured to delete the entry in packet forwarding data store 118 comprised within server 100 by sending data entry update message 13 b to packet forwarding data store 118 , as described above in relation to FIG. 12 .
- connectivity component 122 may be configured to delete the entry in address translation data store 120 which may comprise the IP address and MAC address of virtual system 102 , by sending data entry update message 11 c to address translation data store 120 .
- connectivity component 122 is configured to distribute packet forwarding information for virtual systems 102 , 104 hosted on server 100 to one or more entities outside of server 100 .
- connectivity component 122 may transmit a packet forwarding update message via physical network interface 116 to one or more entities in the data center network.
- the packet forwarding update message is transmitted in response to receipt of a setup notification and/or receipt of a closure notification received in relation to a virtual system 102 , 104 hosted on server 100 .
- the packet forwarding update message may comprise the IP address of that virtual system 102 , 104 as well as the IP address of server 100 .
- Server 100 may thus be configured by recipients of the packet forwarding update message as the next hop IP address in the data center network to be used for reaching that virtual system 102 , 104 .
- connectivity component 122 is configured to transmit packet forwarding update messages to one or more other servers in the data center network.
- a connectivity component running on that server can use the received packet forwarding update message to populate an entry in a forwarding data store on that server.
- the entry may comprise the IP address of the virtual system 102 , 104 and lists the IP address of server 100 as the next hop IP address to be used for routing to that virtual system.
- connectivity component 122 is configured to transmit packet forwarding update messages to a route reflector 908 depicted in FIG. 9 .
- Route reflector 908 is configured to receive packet forwarding update messages from servers in the data center network, and retransmit the packet forwarding update message to the other servers in the data center network.
- the connectivity components do not need to keep track of all of the servers located in the data center network in order to transmit packet forwarding update messages to them, as the distribution of packet forwarding update messages is handled by route reflector 908 .
- route reflector 908 is depicted as a distinct entity in the data center network, in alternative embodiments, the route reflector may be comprised within another entity in the data center network, such as border gateway entity 904 .
- connectivity component 122 transmits packet forwarding update messages to a route reflector
- connectivity component 122 may be considered to act as a route reflector client.
- server 100 may comprise route reflector client 126 , which is configured to monitor packet forwarding data store. In such embodiments, in response to detecting a change in the entries in the packet forwarding data store, route reflector client 126 may be configured to transmit a packet forwarding update message to route reflector 908 .
- the packet forwarding update messages are border gateway protocol (BGP) messages.
- the packet forwarding update messages comprise BGP UPDATE messages.
- connectivity component 122 in response to receipt of a packet forwarding update message received via physical network interface 116 from an entity outside of server 100 , connectivity component 122 may be configured to modify one or more entries in packet forwarding data store 118 . If the received packet forwarding update message relates to setup of a virtual system on another server in the data center network, connectivity component 122 may be configured to populate an entry in packet forwarding data store 118 which may comprise the IP address of that virtual system and lists the IP address of the server on which it is hosted as the next hop IP address for reaching that virtual system.
- connectivity component 122 may be configured to delete the entry in packet forwarding data store 118 which may comprise the IP address of that virtual system and the IP address of the server on which it is hosted.
- the received packet forwarding update message may comprise the IP address of that virtual system and the IP address of the server on which it is hosted.
- server 100 may comprise route reflector client 126
- the route reflector client may be responsible for modifying the entries in the packet forwarding data store instead of connectivity component 122 .
- measures are provided to control communication access between virtual systems in the data center network. In some embodiments, these measures are provided in the form of access control data store 128 .
- access control data store 128 is comprised within server 100 .
- Access control data store 128 may comprise entries which comprise IP addresses which are allowed to communicate with each other in the data center network.
- access control data store 128 may comprise an access control list (ACL).
- ACL access control list
- access control data store 128 is accessed by packet forwarding function 106 for use in making forwarding decisions for received data packets.
- access control data store 128 acts as a whitelist for allowed combinations of IP addresses.
- packet forwarding function 106 is configured to only forward data packets that are may be routed from a particular source IP address to a particular destination IP address if that combination of IP addresses is listed in an entry in access control data store 128 .
- the data packet is forwarded as described previously in relation to any of FIGS. 2 to 8 .
- the packet forwarding function 106 is configured to drop the data packet (i.e. not forward it on).
- access control data store 128 acts as a blacklist for restricted combinations of IP addresses.
- packet forwarding function 106 is configured to only forward data packets that may be routed from a particular source IP address to a particular destination IP address if that combination of IP addresses is not listed in an entry in access control data store 128 .
- the data packet is forwarded as described previously in relation to any of FIGS. 2 to 8 .
- the packet forwarding function 106 is configured to drop the data packet (i.e. not forward it on).
- one or more of the entries in access control data store 128 comprise a range of IP addresses. In this manner, several virtual systems that are allowed to communicate (or are restricted from communicating) can be defined. Further, if new virtual systems that are added to that group are allocated an IP address in the listed range, then communication between the new and existing virtual systems in the group is allowed (or restricted) without having to update the access control data store 128 with new individual entries.
- one or more of the entries in access control data store 128 comprise protocol identifiers alongside the listed IP addresses and or IP address ranges.
- the protocol identifiers specify particular protocols, applications or services which the listed IP addresses are allowed to use (or are restricted from using) to communicate.
- the protocol identifiers comprise IP port numbers.
- access control data store 128 acts as a whitelist for allowed combinations of IP addresses and applications. In alternative such embodiments, access control data store 128 acts as a blacklist for restricted combinations of IP addresses and applications.
- FIG. 14 illustrates a message flow for a packet forwarding process according to embodiments.
- data packet 14 a is received at packet forwarding function 106 from virtual system 102 (for example as a result of the default route configuration described previously).
- packet forwarding function 106 may be configured to query access control data store 128 in relation to the source and destination IP addresses of received data packet 14 a , through data store query 14 b and corresponding data store response 14 c .
- packet forwarding function 106 may be configured to make a forwarding decision for the received data packet at step 1400 .
- packet forwarding function 106 makes a forwarding decision to forward the data packet on, for example as described previously in relation to any of FIGS. 2 to 8 , via physical network interface 116 to a destination located outside of server 100 , as forwarded data packet 14 d.
- FIG. 15 illustrates a message flow for a packet forwarding process according to embodiments.
- data packet 15 a is received at packet forwarding function 106 via physical network interface 116 from a source located outside of server 100 .
- packet forwarding function 106 may be configured to query access control data store 128 in relation to the source and destination IP addresses of received data packet 15 a , through data store query 15 b and corresponding data store response 15 c .
- packet forwarding function 106 may be configured to make a forwarding decision for the received data packet at step 1500 .
- data store response 15 c indicates that communication between the specified source and destination IP addresses is allowed (either because there is a corresponding entry in access control data store 128 in the case of whitelist operation, or because there is no corresponding entry in access control data store 128 in the case of blacklist operation). Therefore, packet forwarding function 106 makes a forwarding decision to forward the data packet on, for example as described previously in relation to any of FIGS. 2 to 8 , to virtual system 102 as forwarded data packet 15 d.
- the access control measures provided by access control data store 128 are scalable to support arbitrarily large numbers of virtual systems in the data center network, and are not limited by the number of available virtual LANs for example, as is the case in many conventional systems. Further, as can be seen from FIGS. 14 and 15 , for traffic that is routed between virtual systems hosted on two different servers in the data center network, security is enforced at both the server that hosts the source virtual system and the server that hosts the destination virtual system. This duplication of security functions at both ingress and egress of the data center switching fabric provides increased resilience against any errors that may occur at either server.
- access control data store 128 is comprised within server 100
- access control data store 128 is comprised outside of server 100 , and is accessible to one or more servers in the data center network.
- measures are provided to populate and maintain the entries comprised in access control data store 128 .
- these measures are provided in the form of security component 130 comprised within server 100 .
- security component 130 may be provided in the form of a plugin for the software tool.
- connectivity component 122 may comprise a background process, such as a Linux daemon, running on server 100 .
- the functions of connectivity component 122 are comprised within packet forwarding function 106 .
- security component 130 is responsive to setup of a new virtual system 102 , 104 on server 100 .
- security component 130 may be notified of the setup of a new virtual system 102 , 104 on server 100 by orchestrator component 124 , or alternatively security component 130 may monitor server 100 to determine when setup of a virtual system occurs.
- FIG. 16 illustrates a message flow for an access control process according to embodiments.
- setup notification 16 a which relates to setup of a virtual system on server 100
- security component 130 receives setup notification 16 a .
- setup notification 16 a relates to setup of virtual system 102 .
- setup notification 16 a is sent by the orchestrator component 124 .
- setup notification 16 a may result from monitoring performed by security component 130 .
- security component 130 is configured to determine, at step 1600 , one or more entries to populate in access control data store 128 .
- Security component 130 is then configured to populate the determined one or more entries in access control data store 128 by sending data entry update message 16 b .
- the entry in packet forwarding data store 118 may comprise at least the IP address of virtual system 102 , as well as the IP address or IP address range for the one or more communication endpoints (such as other virtual systems in the data center network) with which communication is allowed (or restricted).
- setup notification 16 a may comprise the IP address of virtual system 102 , which is then used to populate the one or more entries in access control data store 128 .
- setup notification 16 a may comprise an identifier for virtual system 102 , which can be resolved into an IP address for virtual system 102 by security component 122 .
- setup notification 16 a also may comprise the IP address or IP address range for the one or more communication endpoints with which communication is allowed (or restricted), which is then used to populate the one or more entries in access control data store 128 .
- setup notification 16 a may comprise an identifier for the one or more communication endpoints, which can be resolved or mapped to an IP address or IP address range for the one or more communication endpoints by security component 130 .
- the determination, at step 1600 , of the one or more entries to populate in access control data store 128 may comprise conversion of the various identifiers received in setup notification 16 a into the necessary entries for populating in access control data store 128 .
- security component 130 is further responsive to closure of virtual systems 102 , 104 on server 100 , in order to delete the previously populated entries in the access control data store 128 .
- security component 130 is notified through receipt of a closure notification when closure of a virtual system 102 , 104 on server 100 occurs. Again, such closure notifications may be received from an orchestrator component 124 , or may result from monitoring performed by security component 130 .
- FIG. 17 illustrates a message flow for an access control process according to embodiments.
- closure notification 17 a which relates to closure of a virtual system on server 100
- closure notification 17 a relates to closure of virtual system 102 .
- closure notification 17 a is sent by the orchestrator component 124 .
- closure notification 17 a may result from monitoring performed by security component 130 .
- security component 130 may be configured to determine, at step 1700 , one or more entries in access control data store 128 which require deletion. Security component 130 is then configured to delete the determined one or more entries in access control data store 128 by sending data entry update message 17 b.
- apparatus 100 may comprise a processor or processing system, as depicted by processor 132 in FIG. 1 .
- the processing system may comprise one or more processors and/or memory.
- Each device as described in relation to any of the embodiments described above may similarly comprise a processor and/or processing system.
- One or more of the embodiments described herein with reference to the drawings comprise processes performed by apparatus 100 .
- apparatus 100 may comprise one or more processing systems or processors configured to carry out these processes.
- some embodiments may be implemented at least in part by computer software stored in (non-transitory) memory and executable by the processor, or by hardware, or by a combination of tangibly stored software and hardware (and tangibly stored firmware).
- Embodiments also extend to computer programs, particularly computer programs on or in a carrier, adapted for putting the above described embodiments into practice.
- the program may be in the form of non-transitory source code, object code, or in any other non-transitory form suitable for use in the implementation of processes according to embodiments.
- the carrier may be any entity or device capable of carrying the program, such as a RAM, a ROM, or an optical memory device; etc.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Measures for controlling communication access in a data center network are provided. A packet forwarding function in a server in a data center network is configured to access an access control data store when making forwarding decisions for received data packets which are being routed to/from virtual systems hosted on that server. In response to receipt, at the server, of a setup notification relating to setup of a virtual machine on the server, one or more entries are populated in the access control data store. The entries comprise an internet protocol (IP) address of the virtual system and at least one associated IP address of one or more other communication endpoints.
Description
- This application is a continuation of co-pending U.S. patent application Ser. No. 14/231,620 entitled DATA CENTER NETWORKS filed Mar. 31, 2014 which is incorporated herein by reference for all purposes.
- Field of the Invention
- The present application relates to data center networks. In particular, but not exclusively, the present application relates to connectivity and security in data center networks.
- Description of the Related Technology
- Data center deployments, including cloud computing environments, typically provide a computational resource in the form of a number of servers, which can be utilized for various computational tasks, such as data processing, file serving, application hosting and provision telecommunications services. Such servers are typically comprised within a data center network which interconnects the various servers in the data center deployment and facilitates communication between them. Commonly, the data center network will take the form of a local area network (or LAN), which is deployed at a data center facility which houses the various servers and other necessary hardware required for the data center deployment.
- More recently, particularly in cloud computing environments, a data center deployment may include servers at different geographic locations. Such deployments may be referred to as distributed data centers. A distributed data center network may provide geographical redundancy to the data center deployment, such that a disruption or failure at a particular data center facility does not result in a loss of service, as the required computation can be provided by servers at other data center facilities in the data center network.
- The computational resource provided by a data center may be utilized in various ways. In one variety of architecture, each server in a data center may have a dedicated function or set of functions to perform. However, this can result in poor scalability and inefficient hardware-resource utilization because some functions in the data center network may not utilize all of the hardware resources that have been allocated. To address this, virtualization techniques have been developed which allow a virtual system (or ‘guest’) to be created and deployed on a real, physical machine (or ‘host’) such as a server. Varieties of known guest virtual systems include virtual machines, as well as virtual environments (such as Linux Containers; LXC). The virtual system then behaves as if it were an independent machine or environment with a defined function or set of functions to perform.
- One of the advantages that use of virtualization can provide in data center networks is that multiple guests can be deployed on a single host, with each guest sharing the available hardware resources of the host machine, but operating potentially independently of each other. If the guests running on a particular host are not making efficient use of the computational resource of the host machine (i.e. there is a significant amount of spare capacity available on the host), then an extra guest can be added to the host. Similarly, if the guests running on a particular machine require more combined computational resource than the host machine can provide, then one or more of the guests can be moved to a different host machine in the data center network. Additionally, if the overall demand on the data center network (or on a particular function in the data center network) increases, this demand can be met by setting up additional guests (either by utilizing spare capacity on one of the host machines in the data center network or by adding extra hosts to the data center network).
- The guest virtual systems in a data center deployment may be virtualized as separate communication endpoints in the data center network (which may be configured as a local area network, or LAN, for example). In such deployments, each host server may act as a switch to pass data packets to and from the guests that it hosts. Typically, data center networks operate according to the Internet Protocol (IP) suite. According to the internet protocol, such switching within a particular network (e.g. a LAN) is performed on the basis of a destination media access control (MAC) address specified in the data packet. In terms of the open systems interconnection (OSI) model, such MAC addressed based switching is considered to take place at “Layer 2”. In this way, all of the guests in the data center network are conceptually located in the same network.
- In some data center deployments, all of the guests may belong to the same enterprise (or ‘tenant’). Such deployments are known as single tenant data centers. Alternatively, so called multi-tenant data centers may include guests belonging to several different tenants. In order to provide segregation between the virtual systems of different tenants, e.g. for information security or conflict avoidance reasons, a number of virtual LANs may be configured in the network which provide connectivity between the various virtual systems associated with a given tenant, but not to virtual systems associated with different tenants.
- According to a first embodiment, there is provided a method for controlling communication access in a data center network, the method comprising: receiving, at a server in the data center network, a setup notification relating to setup of a virtual system on the server; and in response to receipt of the setup notification, populating one or more entries in an access control data store, the one or more entries comprising an internet protocol (IP) address of the virtual system and at least one associated IP address of one or more communication endpoints, wherein the access control data store is accessed by a packet forwarding function comprised within the server when making forwarding decisions for data packets.
- According to a second embodiment, there is provided apparatus for use in a data center network, the apparatus comprising at least one processor, and at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processor, cause the apparatus at least to: receive, at a server in the data center network, a setup notification relating to setup of a virtual system on the server; and in response to receipt of the setup notification, populate one or more entries in an access control data store, the one or more entries comprising an internet protocol (IP) address of the virtual system and at least one associated IP address of a communication endpoint with which communication is allowed, wherein the access control data store is accessed by a packet forwarding function comprised within the server when making forwarding decisions for data packets.
- According to a third embodiment, there is provided computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform the method of the first embodiment of the application.
- Embodiments comprise a computer program product (for example computer software) adapted to perform the method of the first embodiment of the present application.
- Further features and advantages of the application will become apparent from the following description of preferred embodiments of the application, given by way of example only, which is made with reference to the accompanying drawings.
-
FIG. 1 illustrates an apparatus according to one or more disclosed embodiments; -
FIG. 2 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments; -
FIG. 3 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments; -
FIG. 4 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments; -
FIG. 5 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments; -
FIG. 6 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments; -
FIG. 7 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments; -
FIG. 8 illustrates an example message flow for a packet forwarding process according to one or more disclosed embodiments; -
FIG. 9 illustrates an example data center network according to one or more disclosed embodiments; -
FIG. 10 illustrates a message flow for a connectivity process according to one or more disclosed embodiments; -
FIG. 11 illustrates a message flow for a connectivity process according to one or more disclosed embodiments; -
FIG. 12 illustrates a message flow for a connectivity process according to one or more disclosed embodiments; -
FIG. 13 illustrates a message flow for a connectivity process according to one or more disclosed embodiments; -
FIG. 14 illustrates a message flow for a packet forwarding process according to one or more disclosed embodiments; -
FIG. 15 illustrates a message flow for a packet forwarding process according to one or more disclosed embodiments; -
FIG. 16 illustrates a message flow for an access control process according to one or more disclosed embodiments; and -
FIG. 17 illustrates a message flow for an access control process according to one or more disclosed embodiments. - In some embodiments disclosed herein, a packet forwarding function is provided in a server in a data center network. The packet forwarding function is configured to behave as a virtualized router for forwarding data packets between one or more virtual systems hosted on the server and the rest of the data center network
-
FIG. 1 illustrates anapparatus 100 according to certain embodiments. In the depicted embodiments,apparatus 100 may comprise a server. In alternative embodiments,apparatus 100 may be a hardware module comprised within a server in the data center network, for example a server blade or other hardware component.Server 100 is configured to host one or more virtual systems, includingvirtual system 102. In the depicted embodiments,server 100 further hostsvirtual system 104. In alternative embodiments,server 100 may host a single virtual system (e.g. 102), or may host more than the two illustrated virtual systems. Through hosting the one or morevirtual systems server 100 can be considered to comprise the one or morevirtual systems -
Server 100 may further comprisepacket forwarding function 106, which is configured to forward data packets that may be routed to and/or from the one or morevirtual systems server 100.Packet forwarding function 106 may be configured to make forwarding decisions for received data packets on the basis of the destination IP address of the received data packet.Packet forwarding function 106 can be considered to behave as a virtualized router withinserver 100. By making forwarding decisions for received packets on the basis of the destination IP address, the packet forwarding function can be considered to operate at “Layer 3” of the OSI model. - Providing a virtualized routing function within
server 100 to route data packets to and/or from the virtual systems hosted onserver 100 may serve to enable more efficient scaling in data center networks. Compared to conventional mechanisms which employ “Layer 2” MAC address based switching to forward data packets to and/or from virtual systems hosted on a particular server, the use of IP addresses to make forwarding decisions enables the data center network to be segregated into a number of separate networks, therefore facilitating an arbitrarily large number of virtual systems to be incorporated into the network. - In contrast, using conventional Layer 2 switching for forwarding data packets to and/or from virtual systems hosted on a particular server results in scaling difficulties. Layer 2 switching protocols suffer inefficiencies when the network has a large total number of endpoints or distributed over relatively large geographic areas. This is due to the inability to aggregate Layer 2 forwarding information, and the relatively simplistic design of the Layer 2 control plane protocols.
- In some embodiments, the one or more
virtual systems Server 100 may host the one or more virtual machines through use of a virtualization tool such as a hypervisor. In such embodiments, a hypervisor may run on top of an existing operating system on theserver 100, or it may run directly on the server hardware without an intermediate operating system (in a so called ‘bare metal’ configuration). In some embodiments, the hypervisor (not shown) may comprisepacket forwarding function 106. In some embodiments, a software tool such as OpenStack™ may be used to run the virtual machines onserver 100. In further embodiments, the one or morevirtual systems server 100 is configured with a Linux kernel, and may host the one or more virtual systems through the use of the virtualization tool Linux Containers (LXC). - The one or more
virtual systems packet forwarding function 106 via respectivevirtual connections virtual connections packet forwarding function 106 may comprise one or morevirtual interfaces virtual connection packet forwarding function 106 via a respectivevirtual interface packet forwarding function 106 is comprised within a Linux kernel running onserver 100, and the one or morevirtual systems virtual connections virtual interface - In some embodiments,
server 100 includes aphysical network interface 116, through whichpacket forwarding function 106 can send packets to and receive packets from entities in the data center network outside ofserver 100. In such embodiments,packet forwarding function 106 is responsible for forwarding data packets between the one or morevirtual systems server 100 and the wider data center network, accessed viaphysical network interface 116 andphysical network connection 118. In embodiments, the physical network interface may comprise one or more network interface cards (NIC). In embodiments,physical network connection 118 may comprise a part of a data center switching fabric for interconnecting one or more servers in the data center network. - The virtualized router arrangement of the present disclosure provides efficient means for forwarding data packets between the one or more
virtual systems server 100 and the wider data center network via thephysical network interface 116 andphysical network connection 118. In contrast, known arrangements that are commonly used to forward data packets between guest virtual systems and the physical network interface of a host server commonly use “Layer 2” MAC address based switching and are necessarily highly complex in order to provide interoperability between the virtual systems and the physical network interface of the server. This high complexity may avoided through use of the virtualized router arrangement that is provided in embodiments of this application. - In some embodiments, the virtualized router arrangement provided by
packet forwarding function 106 segregates the one or morevirtual systems server 100 into a separate local network which is distinct from the remainder of the data center network. In embodiments, the one or morevirtual systems server 100 are comprised within an “internal” network, which is in turn comprised withinserver 100. The internal network provides interconnection between the one or morevirtual systems server 100 andpacket forwarding function 106. A different, “external” network then provides interconnection betweenserver 100 and one or more other servers in the data center network. Hence,packet forwarding function 106 can be considered to connect the internal network withinserver 100 to the external network. In some arrangements, the internal network comprised withinserver 100 can be considered to be a virtual network, because it exists withinserver 100 and may comprise virtual hardware, includingvirtual systems - By performing the function of a virtualized router,
packet forwarding function 106 may have an IP address in the internal network that is different to the IP address that it has in the external network. The IP address ofpacket forwarding function 106 in the external network may be the same as an IP address ofserver 100 in the data center network. In contrast, the IP address ofpacket forwarding function 106 in the internal network comprised withinserver 100 is the IP address observed byvirtual systems -
FIG. 1 also includeselements -
FIG. 2 illustrates an example message flow for a packet forwarding process according to embodiments. Initiallydata packet 2 a is received atpacket forwarding function 106 from thephysical network interface 116 ofserver 100.Received data packet 2 a may have originated from another server in the data center network, or another location external toserver 100, such as the public internet. In response to receipt ofdata packet 2 a,packet forwarding function 106 may be configured to make a forwarding decision for the received data packet on the basis of the destination IP address of the received data packet atstep 200. InFIG. 2 , the received data packet has the IP address ofvirtual system 102 as the destination IP address. Therefore, the result of the forwarding decision made atstep 200 is to forward the data packet tovirtual system 102 as forwardeddata packet 2 b. Forwardeddata packet 2 b is forwarded tovirtual system 102 usingvirtual connection 108 viavirtual interface 112. -
FIG. 3 illustrates an example message flow for a packet forwarding process according to embodiments. Initially,data packet 3 a is received atpacket forwarding function 106 from a virtual system hosted onserver 100, in this casevirtual system 102.Received data packet 3 a is received fromvirtual system 102 overvirtual connection 108 viavirtual interface 112. In response to receipt ofdata packet 3 a,packet forwarding function 106 may be configured to make a forwarding decision for the received data packet on the basis of the destination IP address of the received data packet atstep 300. InFIG. 3 , the received data packet has the IP address of an endpoint located outside of server 100 (i.e. not comprised in the internal network within server 100), such as another virtual system hosted on a different server in the data center network, or another location external toserver 100, such as in the public internet. Therefore, the result of the forwarding decision made atstep 300 is to forward the data packet into the external network, via thephysical network interface 116 ofserver 100, as forwardeddata packet 3 b. -
FIG. 4 illustrates an example message flow for a packet forwarding process according to embodiments. Initiallydata packet 4 a is received atpacket forwarding function 106 from avirtual system 104 hosted onserver 100. In response to receipt ofdata packet 4 a,packet forwarding function 106 may be configured to make a forwarding decision for the received data packet on the basis of the destination IP address of the received data packet atstep 400. InFIG. 4 , the received data packet has the IP address of another virtual system hosted onserver 100 as the destination IP address, in this casevirtual system 104. Therefore, the result of the forwarding decision made atstep 400 is to forward the data packet tovirtual system 104 as forwardeddata packet 4 b. Forwardeddata packet 4 b is forwarded tovirtual system 104 usingvirtual connection 110 viavirtual interface 114. - In some embodiments, data packets are routed from the one or more
virtual systems server 100, topacket forwarding function 106 as a result of the IP address ofpacket forwarding function 106 in the internal network comprised withinserver 100 may be advertised as the default route for data packets originating in that internal network. This default route setup configures the one or more virtual systems hosted onserver 100 to transmit outgoing data packets to the packet forwarding function, which is then equipped to make forwarding decisions for the received data packets. Hence, in some embodiments, receiveddata packets - In embodiments, such a default route setup may be achieved by configuring
packet forwarding function 106 to respond to address resolution request messages with the media access control (MAC) address of thepacket forwarding function 106 in the internal network comprised withinsever 100. Setting up the packet forwarding function as the default route in this manner enablesvirtual systems server 100 without requiring customized configuration of the virtual system which is specific to theserver 100 on which it is hosted for thevirtual system -
FIG. 5 illustrates an example message flow for an address resolution process according to embodiments. Initially,virtual system 102 hosted onserver 100 has an outgoing data packet to transmit to a given destination IP address. In order to transmit the outgoing data packet,virtual system 102 first transmitsaddress query message 5 a in relation to the destination IP address. In some embodiments,address query message 5 a may comprise an address resolution protocol (ARP) (in the case of an Internet Protocol version 4 (IPv4) destination address) or Neighbor discovery (ND) message (in the case of an Internet Protocol version 6 (IPv6) destination address).Address query message 5 a may be broadcast to devices within the internal network that are connected tovirtual system 102, which in this case includes onlypacket forwarding function 106. -
Packet forwarding function 106 may be configured to intercept theaddress query message 5 a by not forwarding the message to any other devices within the internal network. In response to receipt ofaddress query message 5 a,packet forwarding function 106 is configured to respond by transmittingaddress response message 5 b tovirtual system 102, which includes the MAC address ofpacket forwarding function 106 in the internal network. - In response to receipt of the
address response message 5 b,virtual system 102 may be configured to transmit the data packet using the MAC address comprised within the receivedaddress response message 5 b. Therefore,data packet 5 c is transmitted fromvirtual system 102 topacket forwarding function 106.Data packet 5 c is thus received atpacket forwarding function 106 on the basis of the transmittedaddress response message 5 b. In response to receipt ofdata packet 5 c,packet forwarding function 106 may be configured to make a forwarding decision for the packet on the basis of the destination IP address ofdata packet 5 c atstep 500, for example as described previously in relation to any ofFIGS. 2 to 4 . - In some embodiments,
packet forwarding function 106 may be configured to make forwarding decisions on the basis of one or more packet forwarding data entries maintained in packet forwardingdata store 118. As illustrated inFIG. 1 , in some embodiments, packet forwardingdata store 118 is accessible topacket forwarding function 106 for use in making forwarding decisions for received data packets. In some embodiments, packet forwardingdata store 118 includes entries that may comprise “next hop” IP addresses for various destination IP addresses. Each next hop IP address may be associated with a border gateway or routing entity via which the device associated with the destination IP address may be reached, or it may be the same as the destination IP address if the device associated with destination IP address is located in the same network. In some embodiments, packet forwardingdata store 118 may comprise a forwarding information base (FIB), or forwarding table. By querying the packet forwardingdata store 118,packet forwarding function 106 can determine the next hop IP address required to reach the destination IP address of a received data packet, and therefore make a forwarding decision as to how to forward the received data packet on that basis. -
FIG. 6 illustrates an example message flow for a packet forwarding process according to embodiments. Initially,data packet 6 a is received atpacket forwarding function 106 from virtual system 102 (for example as a result of the default route configuration described above). In response to receipt ofdata packet 6 a,packet forwarding function 106 may be configured to access packet forwardingdata store 118 in relation to the destination IP address of receiveddata packet 6 a, throughdata store query 6 b and correspondingdata store response 6 c. On the basis of the information comprised withindata store response 6 c,packet forwarding function 106 may be configured to make a forwarding decision for the received data packet asstep 600. In the embodiments depicted inFIG. 6 ,data store response 6 c may comprise a next hop IP address for use in routing the data packet towards the destination IP address. In this case, the next hop IP address is located externally toserver 100, thereforepacket forwarding function 106 makes a forwarding decision to forward the data packet to the retrieved next hop IP address, via thephysical network interface 116, as forwardeddata packet 6 d. - In some embodiments, if the packet forwarding
data store 118 does not include an entry that corresponds to the destination IP address of the received data packet, then the outcome of the forwarding decision is for the received data packet to be dropped by packet forwarding function 106 (i.e. not forwarded). In some embodiments, the packet forwardingdata store 118 includes entries which comprise an interface identifier which identifies theappropriate interface packet forwarding function 106 is determined on the basis of an interface identifier retrieved from packet forwardingdata store 118, for example indata store response 6 c. In such embodiments, the forwarding decisions made bypacket forwarding function 106 are further based on the retrieved interface identifier. - In some embodiments,
packet forwarding function 106 is configured to make forwarding decisions on the basis of one or more address translation data entries maintained in addresstranslation data store 120. As illustrated inFIG. 1 , in some embodiments, addresstranslation data store 120 is accessible topacket forwarding function 106 for use in making forwarding decisions for received data packets. In some embodiments, packet forwardingdata store 118 includes entries that may comprise a MAC address which corresponds to given IP addresses to which packets may be forwarded. In some embodiments, addresstranslation data store 120 may comprise an ARP cache or ND cache. By querying the addresstranslation data store 120,packet forwarding function 106 can determine the MAC address required to reach the IP address to which a received data packet is to be forwarded, and therefore make a forwarding decision as to how to forward the received data packet on that basis. -
FIG. 7 illustrates an example message flow for a packet forwarding process according to embodiments. Initially,data packet 7 a is received atpacket forwarding function 106 via thephysical network interface 116, with a destination IP address that is the IP address ofvirtual system 102. In response to receipt ofdata packet 7 a,packet forwarding function 106 may be configured to access addresstranslation data store 120 in relation to the IP address ofvirtual system 102, throughdata store query 7 b and correspondingdata store response 7 c. On the basis of the information comprised withindata store response 7 c,packet forwarding function 106 may be configured to make a forwarding decision for the received data packet atstep 700. In the embodiments depicted inFIG. 7 ,data store response 7 c may comprise the MAC address ofvirtual system 102 for use in forwarding the received data packet to the destination IP address. Therefore,packet forwarding function 106 makes a forwarding decision to forward the data packet using the retrieved MAC address forvirtual server 102, viavirtual network interface 112, as forwardeddata packet 7 d. -
FIG. 8 illustrates an example message flow for a packet forwarding process according to embodiments. Initially,data packet 8 a is received atpacket forwarding function 106 fromvirtual system 102. In response to receipt ofdata packet 8 a,packet forwarding function 106 may be configured to access packet forwardingdata store 118 in relation to the destination IP address of receiveddata packet 8 a, throughdata store query 8 b and correspondingdata store response 8 c. In the embodiments depicted inFIG. 8 ,data store response 8 c may comprise a next hop IP address for use in routing the data packet towards the destination IP address. In this case, the next hop IP address is located externally toserver 100, and is reachable via thephysical network interface 116. - In response to determining the next hop IP address for the data packet,
packet forwarding function 106 may be configured to access addresstranslation data store 120 in relation to the next hop IP address, throughdata store query 8 d and correspondingdata store response 8 e. In the embodiments depicted inFIG. 8 ,data store response 8 e may comprise the MAC address of the device associated with the retrieved next hop IP address for the data packet. On the basis of the retrieved MAC address and next hop IP address,packet forwarding function 106 is configured to make a forwarding decision for the received data packet atstep 800, which results in the data packet being forwarded to the next hop IP address, using the retrieved MAC address, viaphysical network interface 116, as forwardeddata packet 8 f. -
FIG. 9 illustrates an exampledata center network 900 according to embodiments. In the embodiments depicted inFIG. 9 ,data center network 900 may comprise a plurality of servers (or server components) including at leastserver 100 a andserver 100 b. InFIG. 9 , many of the components ofservers FIG. 1 . In the embodiments depicted inFIG. 9 , only twoservers servers virtual system servers -
Packet forwarding function 106 a connects thevirtual systems server 100 a to the external network, via the physical network interface ofserver 100 a. In some embodiments, the external network may comprise the datacenter switching fabric 902, which interconnects the various physical machines in the data center network, includingservers packet forwarding function 106 b connects thevirtual systems server 100 b to the external network (i.e. data center switching fabric 902), via the physical network interface ofserver 100 b. - In embodiments,
data center network 900 also may compriseborder gateway entity 904, which provides connectivity betweendata center network 900 and one or morefurther networks 906. In some embodiments,border gateway entity 904 may comprise a border router which is responsible for routing data traffic within the datacenter switching fabric 902. In embodiments, the one or morefurther networks 906 may comprise the public internet. In further embodiments, the one or morefurther networks 906 may comprise one or more other data center networks which form a distributed data center deployment. In some such embodiments, the one or more other data center networks are accessible via an inter-data center backbone. - In embodiments, the IP addresses of the
virtual systems data center network 900 are routable, i.e. unique, withindata center network 900. In some embodiments, the IP addresses of one or more of thevirtual systems data center network 900 are publicly routable, which is to say that they are unique within the public internet (accessible via border gateway entity 904) as well as withindata center network 900. - As described above in relation to
FIG. 1 , the packet forwarding functions 106 a, 106 b may be configured with different IP addresses with respect to the external network (i.e. data center switching fabric 902) versus their respective internal networks (i.e. the network comprised within therespective server center switching fabric 902. However, in some embodiments, the various packet forwarding functions 106 a, 106 b in the data center network may be configured with the same IP addresses in their respective internal networks. In such embodiments, the various virtual systems in the data center network communicate via apacket forwarding function virtual systems various host servers various host servers - In some embodiments, the IP addresses of packet forwarding functions 106 a, 106 b in the external network (i.e. data center switching fabric 902) are advertised in the external network as the default next hop IP address for reaching the one or more
virtual systems respective server 100. Hence, the IP addresses of packet forwarding functions 106 a, 106 b in the external network are advertised in the external network as the default next hop IP address for data packets being routed to the associated virtual systems. - In some embodiments, the packet forwarding functions 106 a, 106 also have the same MAC addresses in their respective internal networks, thereby further reducing the reconfiguration required when moving virtual systems between the
various host servers - Returning to
FIG. 1 , in some embodiments, measures are provided to establish connectivity betweenpacket forwarding function 106 and thevirtual systems server 100, by establishing the necessaryvirtual connection data store 118. In some embodiments, these measures are provided in the form ofconnectivity component 122 comprised withinserver 100. In embodiments where a software tool such as OpenStack is provided for managing the setup ofvirtual systems server 100,connectivity component 122 may be provided in the form of a plugin for the software tool. In alternative embodiments,connectivity component 122 may comprise a background process, such as a Linux daemon, running onserver 100. In yet further embodiments, the functions ofconnectivity component 122 are comprised withinpacket forwarding function 106. - Depending on the implementation of the
connectivity component 122, the connectivity component may be notified of the setup of a new virtual system onserver 100 in various ways.Server 100 may comprise anorchestrator component 124, such as the orchestrator provided within OpenStack or the ‘Flynn’ orchestrator used in Linux Containers, for managing the setup ofvirtual systems server 100. In some embodiments, theorchestrator component 124 is configured to notifyconnectivity component 122 when avirtual system server 100. In such embodiments, theconnectivity component 122 may subscribe to notifications fromorchestrator component 124. In alternative embodiments,connectivity component 122 may monitorserver 100 to determine when setup of a virtual system occurs. -
FIG. 10 illustrates a message flow for a connectivity process according to embodiments. Initially,setup notification 10 a, which relates to setup of a virtual system onserver 100, is received byconnectivity component 122. In this case,setup notification 10 a relates to setup ofvirtual system 102. In the depicted embodiments,setup notification 10 a is sent by theorchestrator component 124. In alternative embodiments,setup notification 10 a may result from monitoring performed byconnectivity component 122. In response to receipt ofsetup notification 10 a,connectivity component 122 is configured to createvirtual connection 108 betweenvirtual system 102 andpacket forwarding function 106 atstep 1000. Further in response to receipt ofsetup notification 10 a,connectivity component 122 is configured to populate an entry in packet forwardingdata store 118 comprised withinserver 100 by sending dataentry update message 10 b. The entry in packet forwardingdata store 118 may comprise the IP address ofvirtual system 102, and an identifier for thevirtual connection 108 which connectsvirtual system 102 topacket forwarding function 106. In some embodiments, the identifier forvirtual connection 108 may comprise an identifier forvirtual interface 112. - In some embodiments, the setup of the virtual connection at
step 1000 may comprise setting up avirtual interface 112 inpacket forwarding function 106 via which thevirtual connection 108 between the packet forwarding function andvirtual system 102 is established. In such embodiments,virtual connection 108 may comprisevirtual interface 112. In embodiments,virtual interface 112 may comprise a virtual Ethernet port (veth). In further embodiments,virtual interface 112 may comprise a network tunnel (tun). In yet further embodiments,virtual interface 112 may comprise a network tunnel (tap). - In embodiments,
setup notification 10 a may comprise the IP address ofvirtual system 102, which is then used to populate the entry in packet forwardingdata store 118. In alternative embodiments,setup notification 10 a may comprise an identifier forvirtual system 102, which can be resolved into an IP address forvirtual system 102 byconnectivity component 122. In some such embodiments,connectivity component 122 may allocate an IP address tovirtual system 102. In some embodiments, the identifier for the virtual system may influence the choice of IP address allocated byconnectivity component 122. For example, the identifier may indicate that the virtual system belongs to a particular tenant, or performs a particular function, and therefore should be allocated an available IP address from a particular range. - In some embodiments,
connectivity component 122 may be further configured to populate entries in addresstranslation data store 120 in response to setup of avirtual system server 100. -
FIG. 11 illustrates a message flow for a connectivity process according to embodiments. Initially,setup notification 11 a, which relates to setup ofvirtual system 102 onserver 100, is received byconnectivity component 122. Again, in the depicted embodiments,setup notification 11 a is sent by theorchestrator component 124. In response to receipt ofsetup notification 11 a,connectivity component 122 may be configured to createvirtual connection 108 betweenvirtual system 102 andpacket forwarding function 106 atstep 1100. In response to receipt ofsetup notification 11 a,connectivity component 122 may also be configured to populate an entry in packet forwardingdata store 118 that may be comprised withinserver 100 by sending dataentry update message 11 b to the packet forwarding data store, as described above in relation toFIG. 10 . Further in response to receipt ofsetup notification 11 a,connectivity component 122 may be configured to populate an entry in addresstranslation data store 120 comprised withinserver 100 by sending dataentry update message 11 c to addresstranslation data store 120. The entry in addresstranslation data store 120 may comprise the IP address ofvirtual system 102 and the MAC address ofvirtual system 102. - The IP address of
virtual system 102 for use in populating the entry in addresstranslation data store 120 may be determined as detailed above in relation to packet forwardingdata store 118. In embodiments,setup notification 11 a may comprise the MAC address ofvirtual system 102, which is then used to populate the entry in addresstranslation data store 120. In alternative embodiments,setup notification 11 a may comprise an identifier forvirtual system 102, which can be resolved into a MAC address forvirtual system 102 byconnectivity component 122. - In embodiments, the step of creating the
virtual connection virtual system virtual connection virtual system - In some embodiments,
connectivity component 122 is further responsive to closure ofvirtual systems server 100, in order to remove the previously createdconnections data store 118 and/or the addresstranslation data store 120. In such embodiments,connectivity component 122 is notified through receipt of a closure notification when closure of avirtual system server 100 occurs. Again, such closure notifications may be received from anorchestrator component 124, or may result from monitoring performed byconnectivity component 122. -
FIG. 12 illustrates a message flow for a connectivity process according to embodiments. Initially,closure notification 12 a, which relates to closure of a virtual system onserver 100, is received byconnectivity component 122. In this case,closure notification 12 a relates to closure ofvirtual system 102. In the depicted embodiments,closure notification 12 a is sent by theorchestrator component 124. In alternative embodiments,closure notification 12 a may result from monitoring performed byconnectivity component 122. In response to receipt ofclosure notification 12 a,connectivity component 122 is configured to removevirtual connection 108 atstep 1200. Further in response to receipt ofclosure notification 12 a,connectivity component 122 is configured to delete the entry in packet forwardingdata store 118 which may comprise the IP address ofvirtual system 102 and an identifier forvirtual connection 108, by sending dataentry update message 12 b. - In some embodiments,
connectivity component 122 may be further configured to delete entries in addresstranslation data store 120 in response to closure of avirtual system server 100. -
FIG. 13 illustrates a message flow for a connectivity process according to embodiments. Initially,closure notification 13 a, which relates to closure ofvirtual system 102 onserver 100, is received byconnectivity component 122. Again, in the depicted embodiments,closure notification 13 a is sent by theorchestrator component 124. In response to receipt ofclosure notification 13 a,connectivity component 122 may be configured to removevirtual connection 108 atstep 1300. In response to receipt ofclosure notification 13 a,connectivity component 122 may also be configured to delete the entry in packet forwardingdata store 118 comprised withinserver 100 by sending dataentry update message 13 b to packet forwardingdata store 118, as described above in relation toFIG. 12 . Further in response to receipt ofclosure notification 13 a,connectivity component 122 may be configured to delete the entry in addresstranslation data store 120 which may comprise the IP address and MAC address ofvirtual system 102, by sending dataentry update message 11 c to addresstranslation data store 120. - In some embodiments,
connectivity component 122 is configured to distribute packet forwarding information forvirtual systems server 100 to one or more entities outside ofserver 100. For example, in response to setup and/or closure of avirtual system server 100,connectivity component 122 may transmit a packet forwarding update message viaphysical network interface 116 to one or more entities in the data center network. In embodiments, the packet forwarding update message is transmitted in response to receipt of a setup notification and/or receipt of a closure notification received in relation to avirtual system server 100. In some embodiments, the packet forwarding update message may comprise the IP address of thatvirtual system server 100.Server 100 may thus be configured by recipients of the packet forwarding update message as the next hop IP address in the data center network to be used for reaching thatvirtual system - In some arrangements,
connectivity component 122 is configured to transmit packet forwarding update messages to one or more other servers in the data center network. When such an update message is received by one of the one or more other servers in the data center network, a connectivity component running on that server can use the received packet forwarding update message to populate an entry in a forwarding data store on that server. In some embodiments, the entry may comprise the IP address of thevirtual system server 100 as the next hop IP address to be used for routing to that virtual system. - In alternative embodiments,
connectivity component 122 is configured to transmit packet forwarding update messages to aroute reflector 908 depicted inFIG. 9 .Route reflector 908 is configured to receive packet forwarding update messages from servers in the data center network, and retransmit the packet forwarding update message to the other servers in the data center network. In this manner, the connectivity components do not need to keep track of all of the servers located in the data center network in order to transmit packet forwarding update messages to them, as the distribution of packet forwarding update messages is handled byroute reflector 908. - In the depicted embodiments,
route reflector 908 is depicted as a distinct entity in the data center network, in alternative embodiments, the route reflector may be comprised within another entity in the data center network, such asborder gateway entity 904. In embodiments whereconnectivity component 122 transmits packet forwarding update messages to a route reflector,connectivity component 122 may be considered to act as a route reflector client. In yet further embodiments,server 100 may compriseroute reflector client 126, which is configured to monitor packet forwarding data store. In such embodiments, in response to detecting a change in the entries in the packet forwarding data store,route reflector client 126 may be configured to transmit a packet forwarding update message to routereflector 908. - In some embodiments, the packet forwarding update messages are border gateway protocol (BGP) messages. In some such embodiments, the packet forwarding update messages comprise BGP UPDATE messages.
- In some embodiments, in response to receipt of a packet forwarding update message received via
physical network interface 116 from an entity outside ofserver 100,connectivity component 122 may be configured to modify one or more entries in packet forwardingdata store 118. If the received packet forwarding update message relates to setup of a virtual system on another server in the data center network,connectivity component 122 may be configured to populate an entry in packet forwardingdata store 118 which may comprise the IP address of that virtual system and lists the IP address of the server on which it is hosted as the next hop IP address for reaching that virtual system. However, if the received packet forwarding update message relates to closure of a virtual system on another server in the data center network,connectivity component 122 may be configured to delete the entry in packet forwardingdata store 118 which may comprise the IP address of that virtual system and the IP address of the server on which it is hosted. In some embodiments, the received packet forwarding update message may comprise the IP address of that virtual system and the IP address of the server on which it is hosted. - In embodiments where
server 100 may compriseroute reflector client 126, the route reflector client may be responsible for modifying the entries in the packet forwarding data store instead ofconnectivity component 122. - Returning again to
FIG. 1 , in some embodiments, measures are provided to control communication access between virtual systems in the data center network. In some embodiments, these measures are provided in the form of accesscontrol data store 128. In embodiments, accesscontrol data store 128 is comprised withinserver 100. Accesscontrol data store 128 may comprise entries which comprise IP addresses which are allowed to communicate with each other in the data center network. In some embodiments, accesscontrol data store 128 may comprise an access control list (ACL). According to embodiments, accesscontrol data store 128 is accessed bypacket forwarding function 106 for use in making forwarding decisions for received data packets. - In some embodiments, access
control data store 128 acts as a whitelist for allowed combinations of IP addresses. In such embodiments,packet forwarding function 106 is configured to only forward data packets that are may be routed from a particular source IP address to a particular destination IP address if that combination of IP addresses is listed in an entry in accesscontrol data store 128. In such embodiments, if the combination of source and destination IP addresses is listed in accesscontrol data store 128, then the data packet is forwarded as described previously in relation to any ofFIGS. 2 to 8 . However, if the combination of source and destination IP addresses is not listed in an entry in accesscontrol data store 128, thepacket forwarding function 106 is configured to drop the data packet (i.e. not forward it on). - In alternative embodiments, access
control data store 128 acts as a blacklist for restricted combinations of IP addresses. Under such embodiments,packet forwarding function 106 is configured to only forward data packets that may be routed from a particular source IP address to a particular destination IP address if that combination of IP addresses is not listed in an entry in accesscontrol data store 128. In such embodiments, if the combination of source and destination IP addresses is not listed in accesscontrol data store 128, then the data packet is forwarded as described previously in relation to any ofFIGS. 2 to 8 . However, if the combination of source and destination IP addresses is listed in an entry in accesscontrol data store 128, thepacket forwarding function 106 is configured to drop the data packet (i.e. not forward it on). - In some embodiments, one or more of the entries in access
control data store 128 comprise a range of IP addresses. In this manner, several virtual systems that are allowed to communicate (or are restricted from communicating) can be defined. Further, if new virtual systems that are added to that group are allocated an IP address in the listed range, then communication between the new and existing virtual systems in the group is allowed (or restricted) without having to update the accesscontrol data store 128 with new individual entries. - In some embodiments, one or more of the entries in access
control data store 128 comprise protocol identifiers alongside the listed IP addresses and or IP address ranges. In such embodiments, the protocol identifiers specify particular protocols, applications or services which the listed IP addresses are allowed to use (or are restricted from using) to communicate. In some embodiments, the protocol identifiers comprise IP port numbers. In some such embodiments accesscontrol data store 128 acts as a whitelist for allowed combinations of IP addresses and applications. In alternative such embodiments, accesscontrol data store 128 acts as a blacklist for restricted combinations of IP addresses and applications. -
FIG. 14 illustrates a message flow for a packet forwarding process according to embodiments. Initially,data packet 14 a is received atpacket forwarding function 106 from virtual system 102 (for example as a result of the default route configuration described previously). In response to receipt ofdata packet 14 a,packet forwarding function 106 may be configured to query accesscontrol data store 128 in relation to the source and destination IP addresses of receiveddata packet 14 a, throughdata store query 14 b and correspondingdata store response 14 c. On the basis of the information comprised withindata store response 14 c,packet forwarding function 106 may be configured to make a forwarding decision for the received data packet atstep 1400. In this case,data store response 14 c indicates that communication between the specified source and destination IP addresses is allowed (either because there is a corresponding entry in accesscontrol data store 128 in the case of whitelist operation, or because there is no corresponding entry in accesscontrol data store 128 in the case of blacklist operation). Therefore,packet forwarding function 106 makes a forwarding decision to forward the data packet on, for example as described previously in relation to any ofFIGS. 2 to 8 , viaphysical network interface 116 to a destination located outside ofserver 100, as forwardeddata packet 14 d. -
FIG. 15 illustrates a message flow for a packet forwarding process according to embodiments. Initially,data packet 15 a is received atpacket forwarding function 106 viaphysical network interface 116 from a source located outside ofserver 100. In response to receipt ofdata packet 15 a,packet forwarding function 106 may be configured to query accesscontrol data store 128 in relation to the source and destination IP addresses of receiveddata packet 15 a, throughdata store query 15 b and correspondingdata store response 15 c. On the basis of the information comprised withindata store response 15 c,packet forwarding function 106 may be configured to make a forwarding decision for the received data packet atstep 1500. In this case,data store response 15 c indicates that communication between the specified source and destination IP addresses is allowed (either because there is a corresponding entry in accesscontrol data store 128 in the case of whitelist operation, or because there is no corresponding entry in accesscontrol data store 128 in the case of blacklist operation). Therefore,packet forwarding function 106 makes a forwarding decision to forward the data packet on, for example as described previously in relation to any ofFIGS. 2 to 8 , tovirtual system 102 as forwardeddata packet 15 d. - The access control measures provided by access
control data store 128 are scalable to support arbitrarily large numbers of virtual systems in the data center network, and are not limited by the number of available virtual LANs for example, as is the case in many conventional systems. Further, as can be seen fromFIGS. 14 and 15 , for traffic that is routed between virtual systems hosted on two different servers in the data center network, security is enforced at both the server that hosts the source virtual system and the server that hosts the destination virtual system. This duplication of security functions at both ingress and egress of the data center switching fabric provides increased resilience against any errors that may occur at either server. - While in the embodiments depicted in
FIG. 1 accesscontrol data store 128 is comprised withinserver 100, in alternative embodiments, accesscontrol data store 128 is comprised outside ofserver 100, and is accessible to one or more servers in the data center network. - Returning again to
FIG. 1 , in some embodiments, measures are provided to populate and maintain the entries comprised in accesscontrol data store 128. In some embodiments, these measures are provided in the form ofsecurity component 130 comprised withinserver 100. In embodiments where a software tool is provided for managing the setup ofvirtual systems server 100,security component 130 may be provided in the form of a plugin for the software tool. In alternative embodiments,connectivity component 122 may comprise a background process, such as a Linux daemon, running onserver 100. In yet further embodiments, the functions ofconnectivity component 122 are comprised withinpacket forwarding function 106. - In some embodiments,
security component 130 is responsive to setup of a newvirtual system server 100. In a manner similar to as described previously in relation toconnectivity component 122,security component 130 may be notified of the setup of a newvirtual system server 100 byorchestrator component 124, or alternativelysecurity component 130 may monitorserver 100 to determine when setup of a virtual system occurs. -
FIG. 16 illustrates a message flow for an access control process according to embodiments. Initially,setup notification 16 a, which relates to setup of a virtual system onserver 100, is received bysecurity component 130. In this case,setup notification 16 a relates to setup ofvirtual system 102. In the depicted embodiments,setup notification 16 a is sent by theorchestrator component 124. In alternative embodiments,setup notification 16 a may result from monitoring performed bysecurity component 130. In response to receipt ofsetup notification 16 a,security component 130 is configured to determine, atstep 1600, one or more entries to populate in accesscontrol data store 128.Security component 130 is then configured to populate the determined one or more entries in accesscontrol data store 128 by sending dataentry update message 16 b. The entry in packet forwardingdata store 118 may comprise at least the IP address ofvirtual system 102, as well as the IP address or IP address range for the one or more communication endpoints (such as other virtual systems in the data center network) with which communication is allowed (or restricted). - In some embodiments,
setup notification 16 a may comprise the IP address ofvirtual system 102, which is then used to populate the one or more entries in accesscontrol data store 128. In alternative embodiments,setup notification 16 a may comprise an identifier forvirtual system 102, which can be resolved into an IP address forvirtual system 102 bysecurity component 122. In embodiments,setup notification 16 a also may comprise the IP address or IP address range for the one or more communication endpoints with which communication is allowed (or restricted), which is then used to populate the one or more entries in accesscontrol data store 128. In alternative embodiments,setup notification 16 a may comprise an identifier for the one or more communication endpoints, which can be resolved or mapped to an IP address or IP address range for the one or more communication endpoints bysecurity component 130. In some embodiments, the determination, atstep 1600, of the one or more entries to populate in accesscontrol data store 128 may comprise conversion of the various identifiers received insetup notification 16 a into the necessary entries for populating in accesscontrol data store 128. - In some embodiments,
security component 130 is further responsive to closure ofvirtual systems server 100, in order to delete the previously populated entries in the accesscontrol data store 128. In such embodiments,security component 130 is notified through receipt of a closure notification when closure of avirtual system server 100 occurs. Again, such closure notifications may be received from anorchestrator component 124, or may result from monitoring performed bysecurity component 130. -
FIG. 17 illustrates a message flow for an access control process according to embodiments. Initially,closure notification 17 a, which relates to closure of a virtual system onserver 100, is received bysecurity component 130. In this case,closure notification 17 a relates to closure ofvirtual system 102. In the depicted embodiments,closure notification 17 a is sent by theorchestrator component 124. In alternative embodiments,closure notification 17 a may result from monitoring performed bysecurity component 130. In response to receipt ofclosure notification 17 a,security component 130 may be configured to determine, atstep 1700, one or more entries in accesscontrol data store 128 which require deletion.Security component 130 is then configured to delete the determined one or more entries in accesscontrol data store 128 by sending dataentry update message 17 b. - In embodiments,
apparatus 100 may comprise a processor or processing system, as depicted byprocessor 132 inFIG. 1 . In embodiments, the processing system may comprise one or more processors and/or memory. Each device as described in relation to any of the embodiments described above may similarly comprise a processor and/or processing system. One or more of the embodiments described herein with reference to the drawings comprise processes performed byapparatus 100. In some embodiments,apparatus 100 may comprise one or more processing systems or processors configured to carry out these processes. In this regard, some embodiments may be implemented at least in part by computer software stored in (non-transitory) memory and executable by the processor, or by hardware, or by a combination of tangibly stored software and hardware (and tangibly stored firmware). Embodiments also extend to computer programs, particularly computer programs on or in a carrier, adapted for putting the above described embodiments into practice. The program may be in the form of non-transitory source code, object code, or in any other non-transitory form suitable for use in the implementation of processes according to embodiments. The carrier may be any entity or device capable of carrying the program, such as a RAM, a ROM, or an optical memory device; etc. - The above embodiments are to be understood as illustrative examples of the invention. Further embodiments of the invention are envisioned. It is to be understood that any feature described in relation to any one embodiment may be used alone, or in combination with other features described, and may also be used in combination with one or more features of any other of the embodiments, or any combination of any other of the embodiments. Furthermore, equivalents and modifications not described above may also be employed without departing from the scope of the invention, which is defined in the accompanying claims.
Claims (20)
1. A system, comprising:
an orchestrator component configured to send a setup notification relating to setup of a virtual system on a server;
a connectivity component configured to receive the setup notification, to create a virtual connection between the virtual system and a packet forwarding function, and to send a data entry update message; and
a packet forwarding data store configured to store the data entry update message.
2. The system of claim 1 , wherein to create the virtual connection, the connectivity component is configured to set up a virtual interface in the packet forwarding function.
3. The system of claim 2 , wherein the virtual interface is a virtual Ethernet port.
4. The system of claim 2 , wherein the virtual interface comprises a network tunnel.
5. The system of claim 1 , wherein the setup notification comprises an internet protocol (IP) address of the virtual system.
6. The system of claim 1 , wherein the setup notification comprises an identifier of the virtual system.
7. The system of claim 1 , wherein the identifier indicates a function associated with the virtual system.
8. The system of claim 7 , wherein the connectivity component is configured to allocate an IP address to the virtual system based on the function associated with the virtual system.
9. The system of claim 1 , wherein the data entry update message is an IP address associated with the virtual system.
10. The system of claim 1 , wherein the connectivity component is configured to subscribe to notifications from the orchestrator.
11. The system of claim 1 , wherein the packet forwarding data store is configured to store a forwarding information base and packet forwarding function is configured to access the forwarding information base and to make a forwarding decision based on the forwarding information base.
12. The system of claim 1 , further comprising an address translation data store configured to store an IP address of the virtual system and a MAC address of the virtual system.
13. The system of claim 1 , wherein the setup notification at least includes a MAC address of the virtual system.
14. The system of claim 1 , further comprising an access control data store configured to store allowed combinations of source and end IP addresses.
15. The system of claim 14 , wherein in the event a combination of source and end IP addresses is not stored in the access control data store, the packet forwarding function is configured to drop a data packet.
16. The system of claim 14 , wherein in the event a combination of source and end IP addresses is stored in the access control data store, the packet forwarding function is configured to forward a data packet to a destination end IP address.
17. The system of claim 14 , wherein the packet forwarding function is configured to access the access control data store and to forward a data packet based on the allowed combinations of source and end IP addresses.
18. The system of claim 14 , wherein the access control data store is configured to store a group of IP addresses associated with a set of virtual machines and in the event the virtual system is allocated an IP address in the group of IP addresses, the virtual machine is permitted to communicate with the set of virtual machines associated with the group of IP addresses.
19. A method, comprising:
receiving a setup notification relating to setup of a virtual system on a server;
in response to the setup notification, creating a virtual connection between the virtual system and a packet forwarding function;
sending a data entry update message to a packet forwarding data store, wherein the packet forwarding data store is configured to store the data entry update message.
20. A computer program product being embodied in a non-transitory computer readable storage medium and comprising instructions for:
receiving a setup notification relating to setup of a virtual system on a server;
in response to the setup notification, creating a virtual connection between the virtual system and a packet forwarding function;
sending a data entry update message to a packet forwarding data store, wherein the packet forwarding data store is configured to store the data entry update message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/383,090 US9800496B2 (en) | 2014-03-31 | 2016-12-19 | Data center networks |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/231,620 US9559950B2 (en) | 2014-03-31 | 2014-03-31 | Data center networks |
US15/383,090 US9800496B2 (en) | 2014-03-31 | 2016-12-19 | Data center networks |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/231,620 Continuation US9559950B2 (en) | 2014-03-31 | 2014-03-31 | Data center networks |
Publications (2)
Publication Number | Publication Date |
---|---|
US20170104674A1 true US20170104674A1 (en) | 2017-04-13 |
US9800496B2 US9800496B2 (en) | 2017-10-24 |
Family
ID=54191928
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/231,620 Active 2034-06-13 US9559950B2 (en) | 2014-03-31 | 2014-03-31 | Data center networks |
US15/383,090 Active US9800496B2 (en) | 2014-03-31 | 2016-12-19 | Data center networks |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/231,620 Active 2034-06-13 US9559950B2 (en) | 2014-03-31 | 2014-03-31 | Data center networks |
Country Status (1)
Country | Link |
---|---|
US (2) | US9559950B2 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180062908A1 (en) * | 2016-08-30 | 2018-03-01 | ColorTokens, Inc. | Allocation of virtual interfaces to containers |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6623656B2 (en) * | 2015-10-02 | 2019-12-25 | 富士通株式会社 | Communication control device, communication control method, and communication control program |
US11296960B2 (en) | 2018-03-08 | 2022-04-05 | Nicira, Inc. | Monitoring distributed applications |
US11340931B2 (en) | 2019-07-23 | 2022-05-24 | Vmware, Inc. | Recommendation generation based on selection of selectable elements of visual representation |
US11349876B2 (en) | 2019-07-23 | 2022-05-31 | Vmware, Inc. | Security policy recommendation generation |
US11436075B2 (en) | 2019-07-23 | 2022-09-06 | Vmware, Inc. | Offloading anomaly detection from server to host |
US11398987B2 (en) | 2019-07-23 | 2022-07-26 | Vmware, Inc. | Host-based flow aggregation |
US11176157B2 (en) * | 2019-07-23 | 2021-11-16 | Vmware, Inc. | Using keys to aggregate flows at appliance |
US11743135B2 (en) | 2019-07-23 | 2023-08-29 | Vmware, Inc. | Presenting data regarding grouped flows |
US11288256B2 (en) | 2019-07-23 | 2022-03-29 | Vmware, Inc. | Dynamically providing keys to host for flow aggregation |
US11343161B2 (en) * | 2019-11-04 | 2022-05-24 | Vmware, Inc. | Intelligent distributed multi-site application placement across hybrid infrastructure |
US11321213B2 (en) | 2020-01-16 | 2022-05-03 | Vmware, Inc. | Correlation key used to correlate flow and con text data |
US11785032B2 (en) | 2021-01-22 | 2023-10-10 | Vmware, Inc. | Security threat detection based on network flow analysis |
US11991187B2 (en) | 2021-01-22 | 2024-05-21 | VMware LLC | Security threat detection based on network flow analysis |
US11997120B2 (en) | 2021-07-09 | 2024-05-28 | VMware LLC | Detecting threats to datacenter based on analysis of anomalous events |
US11831667B2 (en) | 2021-07-09 | 2023-11-28 | Vmware, Inc. | Identification of time-ordered sets of connections to identify threats to a datacenter |
US11792151B2 (en) | 2021-10-21 | 2023-10-17 | Vmware, Inc. | Detection of threats based on responses to name resolution requests |
US12015591B2 (en) | 2021-12-06 | 2024-06-18 | VMware LLC | Reuse of groups in security policy |
Citations (59)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5999514A (en) * | 1996-10-03 | 1999-12-07 | Fujitsu Limited | Virtual connection on establishment controlling apparatus in a cell switching system and subscriber service providing method, for use in a cell switching system |
US20020186698A1 (en) * | 2001-06-12 | 2002-12-12 | Glen Ceniza | System to map remote lan hosts to local IP addresses |
US20030055985A1 (en) * | 2001-08-03 | 2003-03-20 | Joshua Corb | System and method for integrating voice over internet protocol network with personal computing devices |
US20030118001A1 (en) * | 2001-12-20 | 2003-06-26 | Shyamal Prasad | Method and system using SS7 signaling control connection part (SCCP) in a distributed network having shared point codes |
US6760775B1 (en) * | 1999-03-05 | 2004-07-06 | At&T Corp. | System, method and apparatus for network service load and reliability management |
US6963926B1 (en) * | 1999-03-31 | 2005-11-08 | British Telecommunications Public Limited Company | Progressive routing in a communications network |
US20060140194A1 (en) * | 2004-12-27 | 2006-06-29 | Sylvain Monette | Adaptive router architecture using logical internal addressing |
US20060282887A1 (en) * | 2005-06-10 | 2006-12-14 | Fabian Trumper | Hybrid distributed firewall apparatus, systems, and methods |
US20070177548A1 (en) * | 2006-02-02 | 2007-08-02 | Fujitsu Limited | Call control system |
US7269157B2 (en) * | 2001-04-10 | 2007-09-11 | Internap Network Services Corporation | System and method to assure network service levels with intelligent routing |
US7274704B1 (en) * | 2000-07-14 | 2007-09-25 | Nortel Networks Limited | Piggybacking VPN information in BGP for network based VPN architectures |
US20070263660A1 (en) * | 2006-05-12 | 2007-11-15 | Fujitsu Limited | Packet transmission apparatus, packet forwarding method and packet transmission system |
US7324526B1 (en) * | 2002-10-11 | 2008-01-29 | Cisco Technology, Inc. | Efficient processing of connection control messages in managing virtual circuits using signaling protocols |
US20080077690A1 (en) * | 2006-09-27 | 2008-03-27 | Nec Corporation | System, method, and program for reducing server load |
US7471680B1 (en) * | 2002-06-24 | 2008-12-30 | Cisco Technology, Inc. | Method to enhance routing control in PNNI networks |
US20090041037A1 (en) * | 2007-08-06 | 2009-02-12 | Cisco Technology, Inc. | Border Router with Selective Filtering of Link State Advertisements |
US20090154357A1 (en) * | 2007-12-14 | 2009-06-18 | Verizon Business Network Services Inc. | Method and System for Providing Default Route Advertisement Protection |
US20090198817A1 (en) * | 2007-07-26 | 2009-08-06 | Northeastern University | System and method for virtual server migration across networks using dns and route triangulation |
US7583665B1 (en) * | 1997-10-03 | 2009-09-01 | Alcatel-Lucent Canada, Inc. | Method and apparatus for forwarding packets |
US20090296714A1 (en) * | 2008-05-30 | 2009-12-03 | Alexandre Gerber | Scalable multiprotocol label switching based virtual private networks and methods to implement the same |
US20100049968A1 (en) * | 2007-03-30 | 2010-02-25 | Theo Dimitrakos | Computer network |
US20100054120A1 (en) * | 2006-06-02 | 2010-03-04 | International Business Machines Corporation | Apparatus and method for cluster recovery |
US7715380B2 (en) * | 2003-06-19 | 2010-05-11 | Cisco Technology, Inc. | Apparatus and methods for handling shared services through virtual route forwarding (VRF)-aware-NAT |
US20100214949A1 (en) * | 2009-02-23 | 2010-08-26 | Cisco Technology, Inc. | Distributed data center access switch |
US20100223397A1 (en) * | 2009-02-27 | 2010-09-02 | Uri Elzur | Method and system for virtual machine networking |
US7822027B2 (en) * | 2006-10-05 | 2010-10-26 | Cisco Technology, Inc. | Network routing to the socket |
US20100322255A1 (en) * | 2009-06-22 | 2010-12-23 | Alcatel-Lucent Usa Inc. | Providing cloud-based services using dynamic network virtualization |
US20110019551A1 (en) * | 2009-07-27 | 2011-01-27 | Razoom, Inc. | FLOW STATE AWARE MANAGEMENT OF QoS WITH A DISTRIBUTED CLASSIFIER |
US20110064083A1 (en) * | 2008-09-30 | 2011-03-17 | Jay Charles Borkenhagen | Anycast-Based Internet Protocol Redirection To Alleviate Partial Routing Tables |
US20110082941A1 (en) * | 2009-10-06 | 2011-04-07 | Electronics And Telecommunications Research Institute | Method of providing direct communication in internet protocol network |
US20110103389A1 (en) * | 2009-11-03 | 2011-05-05 | Blade Network Technologies, Inc. | Method and apparatus for switching traffic between virtual machines |
US20110106959A1 (en) * | 2008-04-18 | 2011-05-05 | France Telecom | Method for transferring a flow between heterogeneous access points |
US20110113472A1 (en) * | 2009-11-10 | 2011-05-12 | Hei Tao Fung | Integrated Virtual Desktop and Security Management System |
US20110283017A1 (en) * | 2010-05-14 | 2011-11-17 | Microsoft Corporation | Interconnecting Members of a Virtual Network |
US8141156B1 (en) * | 2005-12-28 | 2012-03-20 | At&T Intellectual Property Ii, L.P. | Method and apparatus for mitigating routing misbehavior in a network |
US20120079478A1 (en) * | 2010-09-23 | 2012-03-29 | Cisco Technology, Inc. | Network Interface Controller for Virtual and Distributed Services |
US20120093154A1 (en) * | 2010-10-19 | 2012-04-19 | Eric Rosenberg | Methods and apparatus to utilize route parameter sets for exchanging routes in a communication network |
US20120117566A1 (en) * | 2010-05-07 | 2012-05-10 | Manabu Maeda | Information processing device, information processing method, and program distribution system |
US20120207160A1 (en) * | 2006-10-24 | 2012-08-16 | Cisco Technology, Inc. | Subnet scoped multicast/broadcast packet distribution mechanism over a routed network |
US20120287930A1 (en) * | 2011-05-13 | 2012-11-15 | Cisco Technology, Inc. | Local switching at a fabric extender |
US20120311673A1 (en) * | 2011-06-01 | 2012-12-06 | Comcast Cable Communications, Llc | Media usage monitoring and control |
US20130086236A1 (en) * | 2011-09-30 | 2013-04-04 | Stephan Baucke | Using mpls for virtual private cloud network isolation in openflow-enabled cloud computing |
US20130174150A1 (en) * | 2011-12-28 | 2013-07-04 | Hiroshi Nakajima | Information processing apparatus and communication control method |
US20130174151A1 (en) * | 2011-12-28 | 2013-07-04 | Hiroshi Nakajima | Information processing apparatus and method of controlling virtual machine |
US20130259052A1 (en) * | 2010-12-28 | 2013-10-03 | Ippei Akiyosh | Communication system, forwarding node, received packet process method, and program |
US20130268588A1 (en) * | 2012-04-04 | 2013-10-10 | Cisco Technology, Inc. | Location-Aware Virtual Service Provisioning in a Hybrid Cloud Environment |
US20130322446A1 (en) * | 2012-06-05 | 2013-12-05 | International Business Machines Corporation | Virtual ethernet port aggregation (vepa)-enabled multi-tenant overlay network |
US20130322453A1 (en) * | 2012-06-04 | 2013-12-05 | David Ian Allan | Routing vlan tagged packets to far end addresses of virtual forwarding instances using separate administrations |
US8693344B1 (en) * | 2011-09-27 | 2014-04-08 | Big Switch Network, Inc. | Systems and methods for generating packet forwarding rules based on network policy |
US20140098813A1 (en) * | 2012-10-10 | 2014-04-10 | Telefonaktiebolaget L M Ericsson (Publ) | Ip multicast service join process for mpls-based virtual private cloud networking |
US20140098815A1 (en) * | 2012-10-10 | 2014-04-10 | Telefonaktiebolaget L M Ericsson (Publ) | Ip multicast service leave process for mpls-based virtual private cloud networking |
US20140160984A1 (en) * | 2012-12-07 | 2014-06-12 | Tellabs Oy | Method and equipment for configuring a software-defined network |
US20140341019A1 (en) * | 2011-09-13 | 2014-11-20 | Nec Corporation | Communication system, control apparatus, and communication method |
US20140351452A1 (en) * | 2013-05-21 | 2014-11-27 | Cisco Technology, Inc. | Chaining Service Zones by way of Route Re-Origination |
US20140351371A1 (en) * | 2013-05-24 | 2014-11-27 | Red Hat, Inc. | Overlay network over a messaging network |
US20150055571A1 (en) * | 2011-12-07 | 2015-02-26 | Nokia Solutions And Networks Oy | Link model for multi-prefix packet system bearer |
US20150117445A1 (en) * | 2011-08-17 | 2015-04-30 | Nicira, Inc. | Packet Conflict Resolution |
US20150124608A1 (en) * | 2013-11-05 | 2015-05-07 | International Business Machines Corporation | Adaptive Scheduling of Data Flows in Data Center Networks for Efficient Resource Utilization |
US20150163162A1 (en) * | 2013-12-10 | 2015-06-11 | International Business Machines Corporation | Software-defined networking single-source enterprise workload manager |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2458154B (en) | 2008-03-07 | 2012-06-27 | Hewlett Packard Development Co | Routing across a virtual network |
US8345692B2 (en) | 2010-04-27 | 2013-01-01 | Cisco Technology, Inc. | Virtual switching overlay for cloud computing |
CN104396192B (en) | 2010-06-29 | 2018-03-06 | 华为技术有限公司 | Dissymmetric network address encapsulates |
CN102394831A (en) | 2011-11-28 | 2012-03-28 | 杭州华三通信技术有限公司 | Flow uninterruptible method and device based on virtual machine VM (virtual memory) migration |
US8584215B2 (en) | 2012-02-07 | 2013-11-12 | Cisco Technology, Inc. | System and method for securing distributed exporting models in a network environment |
-
2014
- 2014-03-31 US US14/231,620 patent/US9559950B2/en active Active
-
2016
- 2016-12-19 US US15/383,090 patent/US9800496B2/en active Active
Patent Citations (61)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5999514A (en) * | 1996-10-03 | 1999-12-07 | Fujitsu Limited | Virtual connection on establishment controlling apparatus in a cell switching system and subscriber service providing method, for use in a cell switching system |
US7583665B1 (en) * | 1997-10-03 | 2009-09-01 | Alcatel-Lucent Canada, Inc. | Method and apparatus for forwarding packets |
US6760775B1 (en) * | 1999-03-05 | 2004-07-06 | At&T Corp. | System, method and apparatus for network service load and reliability management |
US6963926B1 (en) * | 1999-03-31 | 2005-11-08 | British Telecommunications Public Limited Company | Progressive routing in a communications network |
US7274704B1 (en) * | 2000-07-14 | 2007-09-25 | Nortel Networks Limited | Piggybacking VPN information in BGP for network based VPN architectures |
US7269157B2 (en) * | 2001-04-10 | 2007-09-11 | Internap Network Services Corporation | System and method to assure network service levels with intelligent routing |
US20020186698A1 (en) * | 2001-06-12 | 2002-12-12 | Glen Ceniza | System to map remote lan hosts to local IP addresses |
US20030055985A1 (en) * | 2001-08-03 | 2003-03-20 | Joshua Corb | System and method for integrating voice over internet protocol network with personal computing devices |
US20030118001A1 (en) * | 2001-12-20 | 2003-06-26 | Shyamal Prasad | Method and system using SS7 signaling control connection part (SCCP) in a distributed network having shared point codes |
US7471680B1 (en) * | 2002-06-24 | 2008-12-30 | Cisco Technology, Inc. | Method to enhance routing control in PNNI networks |
US20080107117A1 (en) * | 2002-10-11 | 2008-05-08 | Cisco Technology, Inc. | Efficient Processing of Connection Control Messages in Managing Virtual Circuits Using Signaling Protocols |
US7324526B1 (en) * | 2002-10-11 | 2008-01-29 | Cisco Technology, Inc. | Efficient processing of connection control messages in managing virtual circuits using signaling protocols |
US7715380B2 (en) * | 2003-06-19 | 2010-05-11 | Cisco Technology, Inc. | Apparatus and methods for handling shared services through virtual route forwarding (VRF)-aware-NAT |
US20060140194A1 (en) * | 2004-12-27 | 2006-06-29 | Sylvain Monette | Adaptive router architecture using logical internal addressing |
US20060282887A1 (en) * | 2005-06-10 | 2006-12-14 | Fabian Trumper | Hybrid distributed firewall apparatus, systems, and methods |
US8141156B1 (en) * | 2005-12-28 | 2012-03-20 | At&T Intellectual Property Ii, L.P. | Method and apparatus for mitigating routing misbehavior in a network |
US20070177548A1 (en) * | 2006-02-02 | 2007-08-02 | Fujitsu Limited | Call control system |
US20070263660A1 (en) * | 2006-05-12 | 2007-11-15 | Fujitsu Limited | Packet transmission apparatus, packet forwarding method and packet transmission system |
US20100054120A1 (en) * | 2006-06-02 | 2010-03-04 | International Business Machines Corporation | Apparatus and method for cluster recovery |
US20080077690A1 (en) * | 2006-09-27 | 2008-03-27 | Nec Corporation | System, method, and program for reducing server load |
US7822027B2 (en) * | 2006-10-05 | 2010-10-26 | Cisco Technology, Inc. | Network routing to the socket |
US20120207160A1 (en) * | 2006-10-24 | 2012-08-16 | Cisco Technology, Inc. | Subnet scoped multicast/broadcast packet distribution mechanism over a routed network |
US20100049968A1 (en) * | 2007-03-30 | 2010-02-25 | Theo Dimitrakos | Computer network |
US20090198817A1 (en) * | 2007-07-26 | 2009-08-06 | Northeastern University | System and method for virtual server migration across networks using dns and route triangulation |
US20090041037A1 (en) * | 2007-08-06 | 2009-02-12 | Cisco Technology, Inc. | Border Router with Selective Filtering of Link State Advertisements |
US20090154357A1 (en) * | 2007-12-14 | 2009-06-18 | Verizon Business Network Services Inc. | Method and System for Providing Default Route Advertisement Protection |
US20110106959A1 (en) * | 2008-04-18 | 2011-05-05 | France Telecom | Method for transferring a flow between heterogeneous access points |
US20090296714A1 (en) * | 2008-05-30 | 2009-12-03 | Alexandre Gerber | Scalable multiprotocol label switching based virtual private networks and methods to implement the same |
US20110064083A1 (en) * | 2008-09-30 | 2011-03-17 | Jay Charles Borkenhagen | Anycast-Based Internet Protocol Redirection To Alleviate Partial Routing Tables |
US20100214949A1 (en) * | 2009-02-23 | 2010-08-26 | Cisco Technology, Inc. | Distributed data center access switch |
US20100223397A1 (en) * | 2009-02-27 | 2010-09-02 | Uri Elzur | Method and system for virtual machine networking |
US20100322255A1 (en) * | 2009-06-22 | 2010-12-23 | Alcatel-Lucent Usa Inc. | Providing cloud-based services using dynamic network virtualization |
US20110019551A1 (en) * | 2009-07-27 | 2011-01-27 | Razoom, Inc. | FLOW STATE AWARE MANAGEMENT OF QoS WITH A DISTRIBUTED CLASSIFIER |
US20110082941A1 (en) * | 2009-10-06 | 2011-04-07 | Electronics And Telecommunications Research Institute | Method of providing direct communication in internet protocol network |
US20110103389A1 (en) * | 2009-11-03 | 2011-05-05 | Blade Network Technologies, Inc. | Method and apparatus for switching traffic between virtual machines |
US20110113472A1 (en) * | 2009-11-10 | 2011-05-12 | Hei Tao Fung | Integrated Virtual Desktop and Security Management System |
US20120117566A1 (en) * | 2010-05-07 | 2012-05-10 | Manabu Maeda | Information processing device, information processing method, and program distribution system |
US20110283017A1 (en) * | 2010-05-14 | 2011-11-17 | Microsoft Corporation | Interconnecting Members of a Virtual Network |
US20120079478A1 (en) * | 2010-09-23 | 2012-03-29 | Cisco Technology, Inc. | Network Interface Controller for Virtual and Distributed Services |
US8804747B2 (en) * | 2010-09-23 | 2014-08-12 | Cisco Technology, Inc. | Network interface controller for virtual and distributed services |
US20120093154A1 (en) * | 2010-10-19 | 2012-04-19 | Eric Rosenberg | Methods and apparatus to utilize route parameter sets for exchanging routes in a communication network |
US20130259052A1 (en) * | 2010-12-28 | 2013-10-03 | Ippei Akiyosh | Communication system, forwarding node, received packet process method, and program |
US20120287930A1 (en) * | 2011-05-13 | 2012-11-15 | Cisco Technology, Inc. | Local switching at a fabric extender |
US20120311673A1 (en) * | 2011-06-01 | 2012-12-06 | Comcast Cable Communications, Llc | Media usage monitoring and control |
US20150117445A1 (en) * | 2011-08-17 | 2015-04-30 | Nicira, Inc. | Packet Conflict Resolution |
US20140341019A1 (en) * | 2011-09-13 | 2014-11-20 | Nec Corporation | Communication system, control apparatus, and communication method |
US8693344B1 (en) * | 2011-09-27 | 2014-04-08 | Big Switch Network, Inc. | Systems and methods for generating packet forwarding rules based on network policy |
US20130086236A1 (en) * | 2011-09-30 | 2013-04-04 | Stephan Baucke | Using mpls for virtual private cloud network isolation in openflow-enabled cloud computing |
US20150055571A1 (en) * | 2011-12-07 | 2015-02-26 | Nokia Solutions And Networks Oy | Link model for multi-prefix packet system bearer |
US20130174151A1 (en) * | 2011-12-28 | 2013-07-04 | Hiroshi Nakajima | Information processing apparatus and method of controlling virtual machine |
US20130174150A1 (en) * | 2011-12-28 | 2013-07-04 | Hiroshi Nakajima | Information processing apparatus and communication control method |
US20130268588A1 (en) * | 2012-04-04 | 2013-10-10 | Cisco Technology, Inc. | Location-Aware Virtual Service Provisioning in a Hybrid Cloud Environment |
US20130322453A1 (en) * | 2012-06-04 | 2013-12-05 | David Ian Allan | Routing vlan tagged packets to far end addresses of virtual forwarding instances using separate administrations |
US20130322446A1 (en) * | 2012-06-05 | 2013-12-05 | International Business Machines Corporation | Virtual ethernet port aggregation (vepa)-enabled multi-tenant overlay network |
US20140098815A1 (en) * | 2012-10-10 | 2014-04-10 | Telefonaktiebolaget L M Ericsson (Publ) | Ip multicast service leave process for mpls-based virtual private cloud networking |
US20140098813A1 (en) * | 2012-10-10 | 2014-04-10 | Telefonaktiebolaget L M Ericsson (Publ) | Ip multicast service join process for mpls-based virtual private cloud networking |
US20140160984A1 (en) * | 2012-12-07 | 2014-06-12 | Tellabs Oy | Method and equipment for configuring a software-defined network |
US20140351452A1 (en) * | 2013-05-21 | 2014-11-27 | Cisco Technology, Inc. | Chaining Service Zones by way of Route Re-Origination |
US20140351371A1 (en) * | 2013-05-24 | 2014-11-27 | Red Hat, Inc. | Overlay network over a messaging network |
US20150124608A1 (en) * | 2013-11-05 | 2015-05-07 | International Business Machines Corporation | Adaptive Scheduling of Data Flows in Data Center Networks for Efficient Resource Utilization |
US20150163162A1 (en) * | 2013-12-10 | 2015-06-11 | International Business Machines Corporation | Software-defined networking single-source enterprise workload manager |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180062908A1 (en) * | 2016-08-30 | 2018-03-01 | ColorTokens, Inc. | Allocation of virtual interfaces to containers |
US10938619B2 (en) * | 2016-08-30 | 2021-03-02 | ColorTokens, Inc. | Allocation of virtual interfaces to containers |
Also Published As
Publication number | Publication date |
---|---|
US20150281056A1 (en) | 2015-10-01 |
US9800496B2 (en) | 2017-10-24 |
US9559950B2 (en) | 2017-01-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10693678B2 (en) | Data center networks | |
US9800496B2 (en) | Data center networks | |
US11736394B2 (en) | Address resolution using multiple designated instances of a logical router | |
US10469442B2 (en) | Adaptive resolution of domain name requests in virtual private cloud network environments | |
US11546288B2 (en) | Techniques for managing software defined networking controller in-band communications in a data center network | |
US9584340B2 (en) | Data center networks | |
CN114697252B (en) | Computer network method, software defined network controller and storage medium | |
EP2982097B1 (en) | Method and apparatus for exchanging ip packets among network layer 2 peers | |
US10205698B1 (en) | Source-dependent address resolution | |
CN112910750B (en) | Method, apparatus, system, and medium for address resolution using logical router | |
US20150124823A1 (en) | Tenant dhcp in an overlay network | |
US20150058463A1 (en) | Proxy methods for suppressing broadcast traffic in a network | |
US10530656B2 (en) | Traffic replication in software-defined networking (SDN) environments | |
US9203753B2 (en) | Traffic optimization using network address and port translation in a computer cluster | |
WO2020108587A1 (en) | Data processing method, controller and forwarding device | |
EP2548346B1 (en) | Packet node for applying service path routing at the mac layer | |
US9438475B1 (en) | Supporting relay functionality with a distributed layer 3 gateway | |
EP3944568A1 (en) | Generating route distinguishers for virtual private network addresses based on physical hardware addresses | |
WO2023168287A1 (en) | Synchronizing dynamic host configuration protocol snoop information | |
US11991097B2 (en) | Hybrid data plane for a containerized router | |
CN118300981A (en) | Network address conversion gateway configuration method and cloud management platform |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |